LFS has not reported Security Vulnerabilities in the Errata, at least recently, but tickets for some new versions have had details.
BLFS used to keep details of Security Vulnerabilities in the Errata, mostly updating them to point to the latest version in the development book and updating the brief text if a subsequent vulnerability was reported.
This page is a consolidated list for both LFS and BLFS.
This list contains summary details and links to upstreams or CVEs where available. Please note that vulnerabilities to package versions before those in our 10.0 releases are not noted, so if you are running a version of BLFS before 10.0 you should check the Errata for past releases as well as monitoring the items here.
This page is ordered like the Changelog of the books, with newest items first.
The severity ratings are best estimates unless either upstream or NVD has assigned a rating. If no other analysis is available, High will usually be assumed and similarly if a crash can be triggered LFS and BLFS will normally rate that as High. If in doubt, read the links.
In QtWebEngine-5.15.14, fixes for several recent Chromium security vulnerabilities were backported to the branch used for 5.15. One of these is rated as Critical, 11 others are rated as High. CVE-2023-1215, CVE-2023-1219, CVE-2023-1220, CVE-2023-1222, CVE-2023-1529, CVE-2023-1530, CVE-2023-1531, CVE-2023-1534, CVE-2023-1810, CVE-2023-1811, CVE-2023-2033, CVE-2023-2137, and CVE-2023-29469.
Qt-5.15 reaches End of Life on 2023-05-26, it is unclear if any further vulnerability fixes will be available. To fix these vulnerabilities, update to QtWebEngine-5.15.14 using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In Firefox-102.11.0esr, six security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream. Details at mfsa-2023-17. These vulnerabilities have been assigned CVE-2023-32205, CVE-2023-32206, CVE-2023-32207, CVE-2023-32211, CVE-2023-32213, CVE-2023-32215.
To fix these vulnerabilities, update to Firefox-102.11.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.11.0 there are various changes, including what appears to be the fix for a type-checking bug reported against firefox, see CVE-2023-32211 in mfsa-2023-17. Further details may appear at CVE-2023-32211.
To fix this, update to JS-102.11.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In texlive_bugs (Known issues in TeX Live 2023) all users of the luatex programs are advised to update to v1.17.0 (and for the binary, that includes users of ConTeXt which uses the luametatex binary: in texlive-source we only support ConTeXt using the mkiv backend - that also needs a fix). The issue has been described as "obscure ways to work around some security features", no further details are available.
Users of install-tl-unx who have installed lualatex should check the version using 'lualatex --version' and use tlmgr to update if the version is less than 1.17.0.
To fix this using texlive-sourcei2023 reinstall using the security-fixes-1 patch and applying a sed to mtxrun.lua (if you use ConTeXt) following the instructions from texlive (sysv) or texlive (systemd). Unfortunately, you will need to reinstall any of asymptote, biber, dvisvgm or xindy which you have installed.
In several versions up to Git-2.40.0, three security issues were identified and fixed in Git-2.40.1. They allowed to write outside a working tree when applying a specially crafted patch, allowed for malicious placement of crafted messages under certain circumstances, and arbitrary configuration injection. These vulnerabilities have been assigned CVE-2023-25652, CVE-2023-25815, and CVE-2023-29007.
To fix these vulnerabilities, update to Git-2.40.1 or later using the instructions from Git (sysv) or Git (systemd).
In WebKitGTK+-2.40.1, six security vulnerabilities were fixed that could allow for remote code execution, remotely exploitable denial of service, Same Origin Policy bypass, and sensitive user information tracking. One of these vulnerabilities resulted in emergency updates from Apple and is known to be actively exploited, and can be triggered through malicious advertisements on web pages or other crafted web content. It's recommended that you update WebKitGTK+ immediately to protect yourself and your system. These vulnerabilities have been assigned CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, and CVE-2023-28205.
To fix these vulnerabilities, update to WebKitGTK+-2.40.1 or later using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When updating to WebKitGTK+-2.40.1, you will need to install the 'unifdef' package. You only need the GTK+-3 version of WebKitGTK+, so set -DUSE_GTK4=OFF. If you do not want to install the new libavif package and it's dependency, pass -DUSE_AVIF=OFF.
In Wireshark-4.0.5, three security vulnerabilities were fixed that could allow for denial of service via packet injection or crafted capture files. These can occur when using RPCoRDMA packets, LISP packets, or GQUIC packets. Two of these vulnerabilities cause a crash, and the other causes a huge loop that can run your system out of resources. If you're using RPCoRDMA, LISP, or GQUIC packets in your network, it's recommended to update Wireshark. These vulnerabilities have been assigned CVE-2023-1992, CVE-2023-1993, and CVE-2023-1994.
To fix these vulnerabilities, update to Wireshark-4.0.5 or later using the instructions from Wireshark (sysv) or Wireshark (systemd).
In libxml2-2.10.4, three security vulnerabilities were fixed that could cause crashes. One of these is because hashing of empty dict strings wasn't deterministic, but the other two vulnerabilities are due to null pointer dereferences when using the xmlSchemeFixupComplexType and the xmlSchemaCheckCOSSTDerivedOK functions. Note that only two of these vulnerabilities were assigned CVE IDs. These vulnerabilities have been assigned CVE-2023-29469 and CVE-2023-28484.
To fix these vulnerabilities, update to libxml2-2.10.4 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In ghostscript-10.01.1, a critical security vulnerability was fixed that allows for arbitrary code execution when loading crafted PostScript files. A proof of concept for this vulnerability is public, and it is known to be exploited. The vulnerability was fixed with ghostscript-10.01.1, but was not known to be part of this update until a posting was released to oss-security on 04-13-2023 making it public. This vulnerability is called "Shell in the Ghost", and is due to a buffer overflow. It is imperative that you update ghostscript on all systems which have it installed immediately. This vulnerability has been assigned CVE-2023-28879.
To fix this vulnerability, update to ghostscript-10.01.1 or later using the instructions for ghostscript (sysv) or ghostscript (systemd).
In Thunderbird-102.10.0, several security vulnerabilities were fixed that could allow for user confusion/spoofing attacks, potentially exploitable crashes, memory corruption, denial of service, security control bypasses (revocation status of S/MIME certificates were not checked), user interface hangs, remote code execution through download reflection and mishandling of .desktop files on Linux systems, and arbitrary code execution. Updating Thunderbird is highly recommended, and is crucial if you are using S/MIME encrypted email. These vulnerabilities have been assigned CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-0457, CVE-2023-29479, CVE-2023-29539, CVE-2023-29541, CVE-2023-1945, CVE-2023-29548, and CVE-2023-29550.
To fix these vulnerabilities, update to Thunderbird-102.10.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.10.0esr, seven security vulnerabilities applicable to linux systems were fixed, four of them rated as High by upstream (also a vulnerability fixed for the shipped libwebp - BLFS uses system libwebp see SA 11.3-015). Details at mfsa-2023-14. These vulnerabilities have been assigned CVE-2023-1945, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29550.
To fix these vulnerabilities, update to Firefox-102.10.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.10.0 there is a fix for a potentially exploitable invalid free, rated as High by Mozilla - see CVE-2023-29536 in mfsa-2023-14. Further details may appear at CVE-2023-29536.
To fix this, update to JS-102.10.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
The update to firefox-102.10.0 makes public a double-free vulnerability in libwebp which the mozilla developers say could lead to memory corruption and a potentially exploitable crash. See the MFSA-TMP-2001-001 entry in mfsa-2023-14.
To fix this in the absence of a newer libwebp reliease. apply the libwebp-1.3.0-upstream_fix-1.patch using the instructions for LibWebP (sysv) or Libwebp (systemd).
In Seamonkey-2.53.16, three versions worth of Firefox and Thunderbird security vulnerabilities were resolved. This includes fixes for issues that could cause remotely exploitable crashes, remote code execution, invalid JavaScript execution, arbitrary file reads, content security policy bypass, screen hijacking, and content spoofing. These vulnerabilities have been assigned CVE-2022-46871, CVE-2023-23598, CVE-2023-23601, CVE-2023-23602, CVE-2022-46877, CVE-2023-23603, CVE-2023-23605, CVE-2023-23728, CVE-2023-0767, CVE-2023-25735, CVE-2023-25737, CVE-2023-25739, CVE-2023-25729, CVE-2023-25732, CVE-2023-25742, CVE-2023-25744, CVE-2023-25751, CVE-2023-28164, CVE-2023-28162, CVE-2023-25752, CVE-2023-28176, CVE-2023-0616, and CVE-2023-28427.
To fix these vulnerabilities, update to Seamonkey-2.53.16 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In Ruby-3.2.2, two security vulnerabilities were fixed that could allow for a denial of service when using the Time or URI gems bundled with Ruby. These issues happen due to mishandling URLs with special characters, and mishandling invalid strings that have specific characters. In both cases, it results in a significantly longer execution time when parsing strings to URI or Time objects. These vulnerabilities have been officially classified as Regular Expression Denial of Service vulnerabilities. If you do not want to update Ruby to version 3.2.2, you can update the gems manually using 'gem update uri' and 'gem update time' as a workaround. These vulnerabilities have been assigned CVE-2023-28755 and CVE-2023-28756.
To fix these vulnerabilities, update to Ruby-3.2.2 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In xwayland-23.1.1, a security vulnerability was fixed that could allow for local privilege escalation on systems where the X server is running privileged, and for remote code execution when using SSH X Forwarding. This vulnerability occurs due to a Use-After-Free, which happens if a client explicitly destroys the overlay window. The X server would leave a dangling pointer to that overlay window in the CompScreen structure, which would trigger a use-afre-free later. This vulnerability has been assigned CVE-2023-1393.
To fix this vulnerability, update to xwayland-23.1.1 or later using the instructions from xwayland (sysv) or xwayland (systemd).
In Linux 6.2.3 through 6.2.9, eleven vulnerabilies were fixed which could potentially allow a Denial of Service (deadlock or kernel panic), information leak (network filter bypass) or local priviledge escalation. These vulnerabilities have been assigned CVE-2022-4269, CVE-2023-1032, CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1118, CVE-2023-1583, CVE-2023-1670, CVE-2023-25012, CVE-2023-28466 CVE-2023-28866
.To fix these vulnerabilities, update to Linux kernel 6.2.9 or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd); or 6.1.22 or later if you prefer to stick with the 6.1 LTS series using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-102.9.1, a security vulnerability was fixed that could allow for a remotely exploitable denial-of-service when using the Matrix chat protocol in Thunderbird. This was fixed by updating the 3rd-party Matrix SDK that is bundled with Thunderbird to a more recent version. This vulnerability has been assigned CVE-2023-28427.
To fix this vulnerability, update to Thunderbird-102.9.1 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In xorg-server-21.1.8, a security vulnerability was fixed that could allow for local privilege escalation on systems where the X server is running privileged, and for remote code execution when using SSH X Forwarding. This vulnerability occurs due to a Use-After-Free, which happens if a client explicitly destroys the overlay window. The X server would leave a dangling pointer to that overlay window in the CompScreen structure, which would trigger a use-afre-free later. This vulnerability has been assigned CVE-2023-1393.
To fix this vulnerability, update to xorg-server-21.1.8 or later using the instructions from xorg-server (sysv) or xorg-server (systemd).
In Samba-4.18.1, three security vulnerabilities were fixed that could allow for unauthorized attribute deletion, password resets where the new password is transmitted in plaintext, and for confidential attribute disclosure. Note that all three of these vulnerabilities require LDAP/AD DC to exploit, and while this isn't the default configuration of Samba in BLFS, some users are known to use it. The most serious vulnerability of the three is the confidential attribute disclosure. It has been discovered to be used to exfiltrate TPM owner passwords, certificate secret keys, and Bitlocker recovery keys. For users who have Active Directory Domain Controllers using Samba and use these features on Windows clients, the Samba team states that you should assume that this information has been compromised, and steps should be made to ensure that data that may have been leaked from confidential or otherwise access-controlled attributes is no longer useful. For example, drives should be re-encrypted if they are using BitLocker, TPM passwords should be changed, certificates should be re-issued, etc. Note that a successful exploitation will not show anything in the logs unless the logs are set to a level of 10 (which is highly verbose). If you are using Samba as an AD DC, you should take immediate action. In addition to applying this update, you will need to take actions to protect any data that may have been potentially compromised. See the information on CVE-2023-0614 for more information. These vulnerabilities have been assigned CVE-2023-0225, CVE-2023-0922, and CVE-2023-0614.
To fix these vulnerabilities, update to Samba-4.18.1 or later using the instructions from Samba (sysv) or Samba (systemd).
In cURL-8.0.1, six security vulnerabilities were fixed that could allow for authentication bypasses, remotely exploitable crashes, content filtering circumvention or arbitrary file writes, and command injection. These vulnerabilities occur due to improper reusage of connections when using GSS delegation, SSH, or FTP. The double-free remotely exploitable crash occurs when using HSTS, and the command injection occurs whenever using the TELNET protocol. The content filtering circumvention and arbitrary file writes occur when using SFTP, and happen due to a discrepancy when resolving the ~ (tilde) character. It's important to update cURL if you're using it to resolve HTTP URLs that redirect to HTTPS, or if you use TELNET/SSH/FTP/SFTP or GSS delegation with cURL. These vulnerabilities have been assigned CVE-2023-27538, CVE-2023-27537, CVE-2023-27536, CVE-2023-27535, CVE-2023-27534, and CVE-2023-27533.
To fix these vulnerabilities, update to cURL-8.0.1 or later using the instructions from cURL (sysv) or cURL (systemd).
In Thunderbird-102.9.0, five security vulnerabilities applicable to Linux systems were resolved, and two of them were rated as High by upstream. These vulnerabilities are only applicable if you are reading mail with HTML in it, and can allow for potentially exploitable crashes, spoofing attacks, and potentially remote code execution. It's important to update if you receive HTML mail. These vulnerabilities have been assigned CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, and CVE-2023-28176.
To fix these vulnerabilities, update to Thunderbird-102.9.0 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.9.0esr, five security vulnerabilities applicable to linux systems were fixed, two of them rated as High by upstream. Details at mfsa-2023-10. These vulnerabilities have been assigned CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164 and CVE-2023-28176.
To fix these vulnerabilities, update to Firefox-102.9.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.9.0 there is a fix for a potentially exploitable crash when invalidating JIT code, rated as High by Mozilla - see CVE-2023-25751 in mfsa-2023-10. Further details may appear at CVE-2023-25751.
To fix this, update to JS-102.9.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In QtWebEngine-5.15.13, fixes for several recent Chromium security vulnerabilities rated as High were backported to the branch used for 5.15. CVE-2022-4437, CVE-2022-4438, CVE-2023-0129, CVE-2023-0472, CVE-2023-0698, CVE-2023-0931, and CVE-2023-0933.
To fix these vulnerabilities, update to QtWebEngine-5.15.13 or later using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In httpd-2.4.56, two security vulnerabilities were fixed that could allow for HTTP Request Smuggling attacks. These can occur on servers where the mod_proxy and mod_rewrite modules are enabled, or where mod_proxy_uwsgi is enabled. Request splitting or smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and for cache poisoning. Special characters in the origin response header can truncate/split the response forwarded to the client. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user supplied request-target (URL) data, and it is re-inserted into the proxied request-target using variable substitution. You should update Apache HTTPD if you are using the mod_proxy and mod_rewrite modules in combination, or if you are using the mod_proxy_uwsgi module. These vulnerabilities have been assigned CVE-2023-27522 and CVE-2023-25690. Additional information regarding example configurations which are affected can be found in BLFS Ticket #17764.
To fix these vulnerabilities, update to httpd-2.4.56 or later using the instructions from Apache HTTPD (sysv) or Apache HTTPD (systemd).
In Linux 6.2.2 five vulnerabilies were fixed which could potentially allow a Denial of Service (kernel panic) or sensitive information leak (insufficient protection against hardware vulnerabilities). These vulnerabilities have been assigned CVE-2022-2196, CVE-2022-27672, CVE-2023-1075, CVE-2023-1078, and CVE-2023-26545.
To fix these vulnerabilities, update to Linux kernel 6.2.2 or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd); or 6.1.14 or later if you prefer to stick with the 6.1 LTS series using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In HTTP-Daemon-6.15 a vulnerability was fixed which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the HTTP::Daemon. This library is commonly used for local development and tests. The vulnerability has been assigned CVE-2022-31081.
To fix this vulnerability, update to HTTP-Daemon-6.15 using the instructions for perl module HTTP::Daemon (sysv) or perl module HTTP::Daemon (systemd).
In Epiphany-43.1, a security vulnerability was fixed that could allow for untrusted web content to trick user into exfiltrating passwords. This occurs because autofill occured in sandboxed contexts, and was worked around by disabling the password manager entirely when running inside of a sandbox. Google Security Research discovered this vulnerability and reported that it also impacts Safari, Bitwarden, and Dash Lane, and allows for credentials to be automatically filled into untrusted pages without the master password, and allows for complete account compromise for any users who use the password management functionality. A proof-of-concept exploit has been made public. If you are using this function, you should update Epiphany immediately, even if you don't use the sandbox mode. This vulnerability has been assigned CVE-2023-26081. Additional information can be found at Google Security Advisory in GitHub.
To fix this vulnerability, update to Epiphany-43.1 using the instructions for Epiphany (sysv) or Epiphany (systemd).
In OpenJDK-19.0.2, two security vulnerability were fixed that could allow for unauthorized ability to cause a partial Denial of Service, or compromise some JAVA VM data. It applies to Java deployements, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. Those vulnerabilities have been assigned CVE-2023-21835 and CVE-2023-21843.
To fix these vulnerabilities, update to OpenJDK-19.0.2 using the instructions from OpenJDK (sysv) or OpenJDK (systemd).
In WebKitGTK+-2.38.5, a security vulnerability was fixed that could allow for remote code execution. It occurs when processing maliciously crafted web content. A proof of concept exists and is public, and Apple is aware of reports that this vulnerability is under active exploitation. This occurs due to type confusion, and was addressed with improved logic checks. A temporary workaround would be to set the environment variable JSC_useDFGJIT=0 to force WebKitGTK+ to not use the Just-In-Time JS compiler. If you have WebKitGTK+ installed on your system, it is imperative that you apply this update immediately. This vulnerability has been assigned CVE-2023-23529. Further information can be found in Apple's security advisory for iPadOS 16.3.1, which uses the same version of the WebKit rendering engine: Apple Security Advisory.
To fix these vulnerabilities, update to WebKitGTK+-2.38.5 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In cURL-7.88.1, three security vulnerabilities were fixed that could allow for denial of service and HSTS bypass. The denial of service issue occurs when transferring data which is compressed. The problem happens when data is compressed multiple times, since cURL supports chained HTTP compression algorithms. Due to a logic flaw, it was possible for malicious servers to insert a virtually unlimited number of compression steps simply by using many headers. This can cause a "malloc bomb", where cURL spends enormous amounts of heap memory and eventually running out of system resources. In the case of the two HSTS bypass vulnerabilities, these vulnerabilities occur due to cURL's cache saving behaving incorrectly when using multiple URLs in parallel, and the other vulnerability allows for HSTS bypass because cURL's HSTS mechanism would ignore subsequent transfers when done on the same command line (due to the state not being properly carried on.). Note that the last HSTS vulnerability only affects the cURL command line utility, and not the library. These vulnerabilities have been assigned CVE-2023-23916, CVE-2023-23915, and CVE-2023-23914.
To fix these vulnerabilities, update to cURL-7.88.1 using the instructions from cURL (sysv) or cURL (systemd).
In Thunderbird-102.8.0, several security vulnerabilities were fixed that could allow for user interface lockups, content security policy leaks, screen hijacks, arbitrary memory writes, crashes, undefined behavior, extensions opening applications and executing code without a user's knowledge, and remote code execution. As is the case for most Thunderbird vulnerabilities, exploiting these takes specially crafted emails, or installation of a third party extension which has been compromised. These vulnerabilities have been assigned CVE-2023-0616, CVE-2023-25728, CVE-2023-25730, CVE-2023-0767, CVE-2023-25735, CVE-2023-25737, CVE-2023-25739, CVE-2023-25729, CVE-2023-25732, CVE-2023-25742, and CVE-2023-25746.
To fix these vulnerabilities, update to Thunderbird-102.8.0 using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In node.js-18.14.1, five security vulnerabilities were fixed. One of these is rated as High. See node.js blog. These vulnerabilities have been assigned CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, and CVE-2023-24807.
To fix this vulnerability, update to node.js-18.14.1 or later using the instructions from Node.js (sysv) or Node.js (systemd).
These also apply to node v16 from the 11.2 book, for that you could alternatively update to v16.19.1 using the instructions from the 11.2 book, but BLFS will not be tracking v16.
In PHP-8.2.3, three security vulnerabilities were fixed that could allow for trivial authentication bypass and denial-of-service (application crashes). The authentication bypass occurs in the Password_verify() function, where it was determined that it would always return true with some hashes, which would allow for a trivial authentication bypass. One of the denial of service vulnerabilities is caused by a 1-byte array overrun in common path resolution code, and the other denial of service vulnerability can be triggered when parsing multipart request bodies. It's imperative that you update PHP to 8.2.3 immediately if you are using the Password_verify() function. These security vulnerabilities have been assigned CVE-2023-0567, CVE-2023-0568, and CVE-2023-0662.
To fix these vulnerabilities, update to PHP-8.2.3 using the instructions from PHP (sysv) or PHP (systemd).
In git-2.39.2, two security vulnerabilities were fixeed that could allow for data exfiltration and path traversal through abusing symbolic links in repositories. One of these relies on the user feeding a crafted input to the 'git apply' command (and the path outside the working tree will be overwritten as long as that user has the authority to do so), and the other relies off the usage of submodules. Note that the data exfiltration vulnerability can be worked around by not cloning repositories with '--recurse-submodules', and running 'git submodule update' at each layer of a repository using submodules. When doing this, it's also important to inspect all .gitmodules files to ensure that it does not contain suspicious module URLs. These vulnerabilities have been assigned CVE-2023-22490 and CVE-2023-23946.
To fix these vulnerabilities, update to git-2.39.2 or later using the instructions from git (sysv) or git (systemd).
In intel-microcode-20230214, three hardware vulnerabilities were fixed. Two of them allows a local privileged user to access disclose the information in a SGX (Intel Software Guard Extensions) enclave, affecting 9th Generation Intel Core desktop processors, 10th Generation Intel Core mobile processors, Intel Pentium Silver, J, and N Series processors, 3rd Generation Intel Xeon Scalable processors, and Intel Xeon D processors. Another one allows a privileged user to enable escalation of privilege via adjacent network access, affecting 3rd Generation Intel Xeon Scalable processors and Intel Atom P59xx, P53xx, and C53xx processors. These vulnerabilities has been assigned CVE-2022-21216, CVE-2022-33196, and CVE-2022-38090.
If you are running the system on an affected processor, to fix these vulnerabilitites, update to intel-microcode-20230214 or later using the instructions for About Firmware (sysv) or About Firmware (systemd).
In Firefox-102.8.0esr, eleven security vulnerabilities applicable to linux systems were fixed, eight of them rated as High by upstream. Details at mfsa-2023-06. These vulnerabilities have been assigned CVE-2023-0767 which only applies if using the shipped NSS instead of system NSS, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25732, CVE-2023-25737, CVE-2023-25737, CVE-2023-25739, CVE-2023-25742, CVE-2023-25744 and CVE-2023-25746.
To fix these vulnerabilities, update to Firefox-102.8.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.8.0 there is a fix for a Use After Free, which could cause a potentially exploitable crash, rated as High by Mozilla - see CVE-2023-25735 in mfsa-2023-06. Further details may appear at CVE-2023-25735.
To fix this, update to JS-102.8.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In NSS-3.88.1, 3.79.4 and 3.87.1 a bug where an attacker could construct a PKCS 12 cert bundle in such a way that it could allow for arbitrary memory writes was fixed.
This has been assigned CVE-2023-0767 and is mentioned in the mozilla advisory for the firefox-102.8.0 release, mfsa-2023-06.
To fix this, update to at least NSS-3.88.1 using the instructions for NSS (sysv) or NSS (systemd).
BLFS updated to ImageMagick-7.1.0-61 from 7.1.0-46. Belatedly, two CVEs have been raised against 7.1.0-49 (each with the same one-line fix in 7.1.0-52). These were for a Denial of Service and possible information disclosure on png files. The relevant code in 7.1.0-49 was identical in 7.1.0-46. These vulnerability have been assigned CVE-2022-44267 and CVE-2022-44268.
To fix these, update to ImageMagick-7.1.0-61 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In GnuTLS-3.8.0, a security vulnerability which allowed a remote attacker to perform a man-in-the-middle attack was fixed. An error in TLS RSA key exchange allowed a remote attacker to perform Bleichenbacher oracle attacks using malformed TLS RSA keys, and potentially decrypt information. This vulnerability has been assigned CVE-2023-0361.
To fix this vulnerability, update to GnuTLS-3.8.0 or later using the instructions for GnuTLS (sysv) or GnuTLS (systemd).
In Seamonkey-2.53.15, several security vulnerabilities that were fixed in Firefox and Thunderbird's 102.x series were fixed. These could allow for remote code execution, email spoofing, content security bypasses, UI spoofing, DNS redirection, remotely exploitable crashes, and keystroke leakage. Update to Seamonkey-2.53.15 immediately. These vulnerabilities have been assigned CVE-2022-36319, CVE-2022-36318, CVE-2022-2505, CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, CVE-2022-36059, CVE-2022-3266, CVE-2022-40959, CVE-2022-40960, CVE-2022-40958, CVE-2022-40956, CVE-2022-40597, CVE-2022-40692, CVE-2022-39249, CVE-2022-39250, CVE-2022-39251, CVE-2022-39236, CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421, CVE-2022-46874, CVE-2022-46880, CVE-2022-46872, CVE-2022-46881, CVE-2022-46874, CVE-2022-46882, CVE-2022-46878.
To fix these vulnerabilities, update to Seamonkey-2.35.15 or later using the instructions from Seamonkey (sysv) or Seamonkey (systemd).
In Thunderbird-102.7.2, several security vulnerabilities were fixed that could allow for arbitrary file reads, spoofing attacks, content security policy bypasses, notification bypasses, remote code execution, and invalid signature verification of emails (due to the revocation status of S/MIME signature certificates not being checked). Update to Thunderbird-102.7.2 as soon as possible, especially if you are using the signature verification functionality. These vulnerabilities have been assigned CVE-2022-46871, CVE-2023-23958, CVE-2023-23601, CVE-2023-23602. CVE-2023-23603, CVE-2023-23605, and CVE-2023-0430.
To fix these vulnerabilities, update to Thunderbird-102.7.2 or later using the instructions from Thunderbird (sysv) or Thunderbird (systemd).
In Samba-4.17.5, a significant improvement to a prior security fix for a high severity security vulnerability was released. This vulnerability allowed for elevation of privilege to root through the Netlogon RPC subsystem, and also affected Windows. Note that this version of Samba fixes several other bugs when using macOS clients wtih Samba. This vulnerability has been assigned CVE-2022-38023.
To fix this vulnerability, update to Samba-4.17.5 using the instructions from Samba (sysv) or Samba (systemd).
In PostgreSQL-15.2, a security vulnerability was fixed that could allow for an unauthenticated server to send an unterminated string during the establishment of Kerberos transport encryption. When this occurs, and a libpq client application has a Kerberos credential cache setup that doesn't explicitly disable the gssencmode option, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following it's receive buffer. If the caller somehow makes that message accessible to the attacker, it'll achieve a disclosure of over-read bytes. It has not been confirmed that a crash or leakage of confidential information can be achieved. It is important that you update PostgreSQL if you are using Kerberos transport encryption in your configuration. Alternatively, you can disable the gssencmode option as a workaround on any clients. Note that no dump/restore is required if upgrading from another version in the 15 series, and 14.7 has been released for PostgreSQL-14 users. This vulnerability has been assigned CVE-2022-41862.
To fix this vulnerability, update to PostgreSQL-15.2 or later using the instructions from PostgreSQL (sysv) or PostgreSQL (systemd).
In Xwayland before version 22.1.8, a dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory. This issue can lead to local privileges elevation on systems where Xwayland is running privileged and remote code execution for ssh X forwarding sessions. This vulnerability has been assigned CVE-2023-0494.
To fix this, update to at least Xwayland-21.1.8 using the instructions for Xwayland (sysv) or Xwayland (systemd).
In e2fsprogs-1.46.6, a security vulnerability was fixed that could allow for a segmentation fault or arbitrary code execution when mounting or running fsck on a specially crafted filesystem. This occurs due to an out-of-bounds read/write. This vulnerability has been assigned CVE-2022-1304.
To fix this vulnerability, update to e2fsprogs-1.46.6 or later using the instructions from e2fsprogs (sysv) or e2fsprogs (systemd).
In OpenSSL-3.0.8, eight security vulnerabilities were fixed that could allow for remotely exploitable denial of service, arbitrary reading of memory (including the ability to harvest private keys), plaintext data recovery, and side channel attacks. These vulnerabilities occur when performing PKCS7 data verification, validating DSA public keys, decrypting RSA data, using X.509 certificates, and when using various different OpenSSL API functions. Since OpenSSL is used in a variety of different contexts and applications for cryptography operations, it is imperative that you update OpenSSL on all affected systems immediately. For older systems which do not use OpenSSL-3 (LFS 11.1 for example), you should upgrade to 1.1.1t instead of 3.0.8. These vulnerabilities have been assigned CVE-2023-0286, CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401. Additional information can be found at OpenSSL Security Advisory.
To fix these vulnerabilities, update to OpenSSL-3.0.8 or later using the instructions from OpenSSL (sysv) or OpenSSL (systemd).
In Linux-6.1.9 (and 5.15.91), three security vulnerabilities were fixed that could allow for remotely exploitable system crashes, leakage of stack/heap addresses, local privilege escalation, and arbitrary code execution. These vulnerabilities existed in the Netfilter subsystem (buffer overflow), IPv6 subsystem (NULL pointer dereference in rawv6_push_pending_frames), and the kernel's NTFS3 driver (NULL pointer dereference). The IPv6 vulnerability can be exploited during normal system usage, and the NTFS vulnerability requires the user to mount a filesystem with NTFS Extended Attributes. The most serious of these vulnerabilities is the Netfilter buffer overflow, and a mitigation is possible by running "sysctl -w kernel.unprivileged_userns_clone = 0". Note that this will break desktop environments and any other applications which use User Namespaces though, such as QtWebEngine. These vulnerabilities have been assigned CVE-2023-0179, CVE-2023-0394, and CVE-2022-4842.
To fix these vulnerabilities, update to Linux-6.1.9 (or Linux-5.15.91) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In WebKitGTK+-2.38.4, three security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. All three of these issues are related to memory management problems. Note that since WebKitGTK+ is used to process HTML content in emails when using Evolution, it is possible for malicious HTML emails to exploit these vulnerabilities. These vulnerabilities may also be exploited via malicious advertisements. These vulnerabilities have been assigned CVE-2023-23517, CVE-2023-23518, and CVE-2022-42826. Further information can be found in Apple's security advisory for Safari 16.3, which uses the same version of the WebKit rendering engine: Apple Security Advisory.
To fix these vulnerabilities, update to WebKitGTK+-2.38.4 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In Wireshark-4.0.3, several security vulnerabilities were fixed that could allow for crashes, memory leaks, and excessive CPU resource consumption. These vulnerabilities all occur when dissecting different types of packets during a packet capture or analysis, and can be exploited by running Wireshark on a network which has crafted EAP, NFS, GNW, iSCSI, TIPC, BPv6, NCP, or RTPS packets passing through it. This can also occur by reading a malformed packet trace file. These vulnerabilities have not been assigned CVEs, but more details about them can be found at WNPA-SEC-2023-01, WNPA-SEC-2023-02, WNPA-SEC-2023-03, WNPA-SEC-2023-04, WNPA-SEC-2023-05, WNPA-SEC-2023-06, and WNPA-SEC-2023-07.
To fix these vulnerabilities, update to Wireshark-4.0.3 using the instructions from Wireshark (sysv) or Wireshark (systemd).
In Xorg-Server before version 21.1.7, a dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. This vulnerability has been assigned CVE-2023-0494.
To fix this, update to at least Xorg-Server-21.1.7 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
In apr-1.7.0 and earlier, three vulnerabilites have been found:
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
This could allow for denial of service or remote code execution. These vulnerabilities have been assigned CVE-2022-24963, CVE-2022-28331, and CVE-2021-35940.
To fix these vulnerabilities, update to apr-1.7.2 using the instructions from Apr (sysv) or Apr (systemd).
In apr-util-1.6.1 and prior, an integer overflow or wraparound vulnerability in apr_base64 functions allows an attacker to write beyond bounds of a buffer. This could allow for denial of service or arbitrary code execution. This vulnerability has been assigned CVE-2022-25147.
To fix this vulnerability, update to apr-util-1.6.3 using the instructions from Apr-Util (sysv) or Apr-Util (systemd).
In Glibc-2.37, a security vulnerability was fixed in the
syslog function that could allow an information disclosure
with a long (> 1024 bytes) input.
This vulnerability has been assigned
CVE-2022-39046.
The only Glibc release affected is 2.36.
To fix this vulnerability, backup the system first, then apply
the patch
for Glibc-2.36 and rebuild it with the instructions from
Glibc. After
testing the package with make check, instead of installing
it directly, perform a DESTDIR installation with
make install DESTDIR=$PWD/dest. Now as the
root user, replace the library files containing the
syslog function:
install -vm755 dest/usr/lib/libc.so.6 /usr/lib
install -vm644 dest/usr/lib/libc.a /usr/libIf the debug symbols for Glibc is stripped from the library files
and saved in a separate libc.so.6.dbg file (as
demonstrated in
Stripping),
use the following commands instead to replace the library files and
the debug symbol file:
objcopy --only-keep-debug dest/usr/lib/libc.so.6{,.dbg}
strip --strip-unneeded dest/usr/lib/libc.{a,so.6}
objcopy --add-gnu-debuglink=/usr/lib/libc.so.6.dbg dest/usr/lib/libc.so.6
install -vm755 dest/usr/lib/libc.so.6 /usr/lib
install -vm644 dest/usr/lib/libc.{a,so.6.dbg} /usr/lib
After the files are replaced, reboot the system immediately.
Alternatively, update to the latest LFS stable release if you can afford a system rebuild.
In Sudo-1.9.12p2, a flaw in sudo's -e option (aka sudoedit) was fixed that could allow a malicious user with sudoedit privileges to edit arbitrary files. This vulnerability has been assigned CVE-2023-22809.
To fix this vulnerability, update to Sudo-1.9.12p2 using the instructions from Sudo.
In PHP-8.2.1, a security vulnerability was fixed in the PDO_SQLite module that could allow for an unquoted string to be returned due to an uncaught integer overflow in PDO::quote(). This is due to PHP's implementation of sqlite3_snprintf(), where it's possible to force the function to return a single apostrophe if the function is called on user supplied input without any length restrictions in place. Upgrading to PHP-8.2.1 is only necessary if you use the PDO_SQLite function. This vulnerability has been assigned CVE-2022-31631.
To fix this vulnerability, update to PHP-8.2.1 using the instructions from PHP (sysv) or PHP (systemd).
In httpd-2.4.55, three security vulnerabilities were fixed in the mod_proxy, mod_proxy_ajp, and mod_dav modules which could allow for remotely exploitable crashes, HTTP Response Splitting, and Request Smuggling. These vulnerabilities only affect BLFS users who have those modules enabled in their HTTPD configuration. These vulnerabilities have been assigned CVE-2006-20001, CVE-2022-36370, and CVE-2022-37436.
To fix these vulnerabilities, update to httpd-2.4.55 using the instructions from Apache (sysv) or Apache (systemd).
In git-2.39.1, two security vulnerabilities were fixed which could allow for arbitrary heap reads and writes, which can allow for remote code execution. The git project advises all users to upgrade immediately as no workarounds are available for the issues. The issues can occur when using the 'git log' and 'git archive' commands, especially when using the --format option, and they can also occur when a .gitattributes file exists within a repository. These issues are all classified as integer overflows. These vulnerabilities have been assigned CVE-2022-41903 and CVE-2022-23521.
To fix these vulnerabilities, update to git-2.39.1 using the instructions from git (sysv) or git (systemd).
In Linux-6.1.6 (and Linux-5.15.89), several security vulnerabilities were fixed that could allow for information disclosure, remote code execution, remotely-triggered denial of service, and for data loss. These vulnerabilities occur in a variety of places, including the core network stack, namespaces (Net/User namespaces), the BPF subsystem, the SGI-GRU subsystem, the NFS Daemon, the multimedia subsystem (for digital video recorders), the VMWare and Intel graphics drivers, the network scheduler, the /proc filesystem, the Xen subsystem, the sysctl subsystem, and the Bluetooth subsystem. Because of the amount of vulnerabilities and their severities, it's recommended to upgrade your kernel as soon as possible. These vulnerabilities have been assigned CVE-2022-4378, CVE-2022-3435, CVE-2022-45934, CVE-2022-42329, CVE-2022-3643, CVE-2022-42328, CVE-2022-3531, CVE-2022-3532, CVE-2022-3534, CVE-2022-3424, CVE-2022-4379, CVE-2022-36280, CVE-2022-41218, CVE-2023-23454, CVE-2022-3707, CVE-2022-23455, and CVE-2023-0210.
To fix these vulnerabilities, update to Linux-6.1.6 (or Linux-5.15.89) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In rxvt-unicode-9.31, a critical security vulnerability was fixed that could allow for remote code execution in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. Note that the default configuration supplied in BLFS 11.2 is vulnerable due to it's usage of the Perl extension. This vulnerability has been assigned CVE-2022-4170.
To fix this vulnerability, update to rxvt-unicode-9.31 or later using the instructions from rxvt-unicode (sysv) or rxvt-unicode (systemd).
In WebKitGTK+-2.38.3, several security vulnerabilities were fixed that could allow for remote code execution, disclosure of process memory, Same Origin Policy bypass, sensitive user information disclosure, and denial of service. These vulnerabilities all occur when processing crafted web content, and may be exploited via malicious advertisements on pages as well as embedded HTML content in mails, and standard visits to malicious webpages. Most of these issues were fixed with improved input validation, improved memory handling, and improved state handling. These vulnerabilities have been assigned CVE-2022-42852, CVE-2022-42856, CVE-2022-42867, CVE-2022-46692, CVE-2022-46698, CVE-2022-46699, and CVE-2022-46700.
To fix these vulnerabilities, update to WebKitGTK+-2.38.3 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In Firefox-102.7.0esr, seven security vulnerabilities were fixed, three of them rated as High by upstream. Details at mfsa-2023-02. These vulnerabilities have been assigned CVE-2023-23598, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23605, CVE-2023-46871 and CVE-2023-46877.
To fix these vulnerabilities, update to Firefox-102.7.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In all versions of Rust before 1.66.1, Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle attacks. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH, as that'd cause you to clone the crates.io index through SSH.
The rust security advisory is https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html. At the moment it appears that most rust users do not explicitly use SSH, the usage of SSH by developers who use rust is not known. For those who do explicitly use SSH in rust the severity should be regarded as High.
Please see CVE-2022-46176.
To fix this vulnerability, update to rustc-1.66.1 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).
In QtWebEngine-5.15.12, many Chromium security vulnerabilities were fixed, including two rated as Critical that allow a remote attacker who has compromised the render to escape the sandbox, as well as many rated High allowing a remote attacker to potentially exploit heap corruption. Most of these are via a crafted HTML page, two are via a crafted PDF file, a few require the user to install a malicious extension (which might not apply to users of qtwebengine). CVE-2022-4262, CVE-2022-4181, CVE-2022-4180, CVE-2022-4174, CVE-2022-3890, CVE-2022-3887, CVE-2022-3885, CVE-2022-3573, CVE-2022-3446, CVE-2022-3445, CVE-2022-3373, CVE-2022-3370, CVE-2022-3304, CVE-2022-3201, CVE-2022-3200, CVE-2022-3199, CVE-2022-3198, CVE-2022-3197, CVE-2022-3196, CVE-2022-3075, CVE-2022-3046, CVE-2022-3041, CVE-2022-3040, and CVE-2022-3038.
To fix these vulnerabilities, update to QtWebEngine-5.15.11 or later using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In libtiff-4.5.0, ten security vulnerabilities were fixed that could allow for a denial-of-service or arbitrary code execution when using the tiffcrop utility, as well as when an application checks for a codec-specific tag using the _TIFFCheckFieldIsValidForCodec() function. These occur due to memory allocation problems, floating-point exceptions, buffer overflows, and invalid behavior. Note that the _TIFFCheckFieldIsValidForCodec() function can be exploited by any application that uses Libtiff, including thumbnailers. These vulnerabilities have been assigned CVE-2022-3599, CVE-2022-34526, CVE-2022-3570, CVE-2022-3598, CVE-2022-3627, CVE-2022-3597, CVE-2022-3626, CVE-2022-2056, CVE-2022-2057, and CVE-2022-2058.
To fix these vulnerabilities, update to libtiff-4.5.0 using the instructions from libtiff (sysv) or libtiff (systemd).
In cURL-7.87.0, two security vulnerabilities were fixed that could allow for HSTS bypasses and for secure tunneling to fail when using TELNET and SMB. In the case of the HSTS bypass, this can lead to plaintext transmission of sensitive information, and in the case of the secure tunnel failure, it can allow for either a crash or unintended behavior. Note that you must use internationalized domain names (IDN) for the HSTS bypass to work, and you must use SMB/TELNET through cURL and stunnel for the stunnel failure to work. These vulnerabilities have been assigned CVE-2022-43551 and CVE-2022-43552.
To fix these vulnerabilities, update to cURL-7.87.0 or later using the instructions from cURL (sysv) or cURL (systemd).
In glib-2.74.4, several security vulnerabilities in the GVariant subsystem when processing untrusted data, as well as adding some input validation in the 'GDBusMenuModel'. Upstream has declared these as security fixes, but no CVEs have been assigned, and there are a variety of impacts such as denial of service, arbitrary code execution, and undesirable application behavior. Please check the forum post for more details: GNOME Discourse Forum Post.
To fix these vulnerabilities, update to glib-2.74.4 or later using the instructions from glib (sysv) or glib (systemd).
In systemd-246 and higher, a security vulnerability was discovered that could allow for a local information leak and for privilege escalation. This vulnerability exists in the systemd-coredump program, and is caused by systemd-coredump not respecting the fs.suid_dumpable kernel setting. The BLFS team has developed a patch for systemd-251 and systemd-252 that fixes this vulnerability. Note that this vulnerability theoretically could be exploited any time an application crashes, and can even be exploited by users who intentionally crash programs (such as the 'su' command). There is a proof-of-concept available publicly that allows for the root user's password hash to be leaked through the usage of the 'su' command by an unprivileged user. If you do not wish to patch systemd, a workaround would be to set the fs.suid_dumpable flag to 0, using the following command: "sysctl -w fs.suid_dumpable=0", but note that you will be unable to debug application crashes from other users (including from root). This vulnerability has been assigned CVE-2022-4415, and more information is available at oss-security mailing list post.
To fix this vulnerability, update to systemd-252 with the patch using the instructions from systemd in BLFS development.
Alternatively, you can rebuild systemd-251 with the patch from systemd-251 security patch, applying this patch before the systemd-251-glibc_2.36_fix-1.patch in systemd in BLFS 11.2.
The development books are using Python-3.11 and the details of how to build that series of Python have changed. If you update from an older series to 3.11 you will need to rebuild all Python3 modules, including meson and wheel (the latter was added for LFS-11.2). Alternatively, Python-3.10 (and some older series) are still maintained by upstream although fixes may take a little longer to appear. If you stick with 3.10 on an existing system you will not need to rebuild modules. Therefore, please choose whether to upgrade to Python-3.11.1 or to Python-3.10.9.
In Python-3.11.1, five security vulnerabilities were fixed, with one rated as High. See Python 3.11.1 Release Notes. The IDA codec decoder vulnerability has been assigned CVE-2022-45061, the other vulnerabilities have not been assigned CVEs.
To fix these vulnerabilities using the Python-3.11 series, update to Python-3.11.1 using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
Alternatively, in Python-3.10.9 a similar set of vulnerabilities with one rated as Critical and two rated as High have been fixed in Python-3.10.9, see Python 3.10.9 Release Notes. The fixes with CVEs are CVE-2022-37474, CVE-2022-42919 and CVE-2022-45061. Please note that you should read the 'Looking for a specific release?' section of https://www.python.org/downloads/ to get the source and to find when a future 3.10 release is available.
To fix these vulnerabilities update to Python-3.10.9 but following the instructions from the BLFS 11.2 books: Python3 (sysv) or Python3 (systemd).
In libksba-1.6.3 a severe bug in parsing ASN.1 structures was fixed. Full details at gnupg blog and it has been assigned CVE-2022-47629.
To fix this, update to Libksba-1.6.3 or later using the instructions for Libksba (sysv) or Libksba (systemd).
In xorg-server-21.1.6, two security vulnerabilities were fixed that could allow an attacker to write into random memory of the X server. This is specially a problem when the server is run as root. These vulnerabilities have been assigned CVE-2022-3550 and CVE-2022-3551.
To fix these vulnerabilities, update to xorg-server-21.1.6 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In Samba-4.17.4, four security vulnerabilities were fixed that could allow for elevation of privilege. These vulnerabilities are identical to the "Microsoft Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability" and "Netlogon RPC Elevation of Privilege Vulnerability" disclosed on November 8th, 2022. It was later found that these vulnerabilities allow for privilege escalation in the same way within Samba. Three of the vulnerabilities (which are related to Kerberos) require the system to be in an Active Directory domain, or Samba running in AD DC mode. However, the Netlogon vulnerability affects all configurations of Samba. Note that this update also fixes support for connecting to (and from) Microsoft Windows 11 22H2 systems, which could previously cause Samba to crash. These vulnerabilities have been assigned CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, and CVE-2022-45141.
To fix these vulnerabilities, update to Samba-4.17.4 using the instructions from Samba (sysv) or Samba (systemd).
In WebKitGTK+-2.38.2, five security vulnerabilities were fixed that could allow for arbitrary code execution, remote code execution, disclosure of internal states from the application, user interface spoofing, and disclosure of sensitive user information (such as saved passwords). These vulnerabilities were resolved with improved boundary checking, state management, UI handling, and memory handling. These vulnerabilities can be exploited through malicious advertisements, HTML email, and via browsing to an impacted site. The BLFS team recommends updating WebKitGTK+ immediately. These vulnerabilities have been assigned CVE-2022-32888, CVE-2022-32923, CVE-2022-42799, CVE-2022-42823, and CVE-2022-42824.
To fix these vulnerabilities, update to WebKitGTK+-2.38.2 using the instructions from WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
When using these instructions, you must pass -DENABLE_DOCUMENTATION=OFF to the CMake command. The instructions in the development book are incompatible with packages which use WebKitGTK+ in BLFS 11.2 due to a difference in libsoup versions.
In xwayland-22.1.6, six security vulnerabilities were fixed that could allow for local attackers to elevate privileges, and for remote attackers to elevate privileges on systems that use X forwarding. These vulnerabilities have been assigned CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, and CVE-2022-4283.
To fix these vulnerabilities, update to xwayland-22.1.6 or later using the instructions for xwayland (sysv) or xwayland (systemd).
In xorg-server-21.1.5, six security vulnerabilities were fixed that could allow for local attackers to elevate privileges, and for remote attackers to elevate privileges on systems that use X forwarding. These vulnerabilities have been assigned CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, and CVE-2022-4283.
To fix these vulnerabilities, update to xorg-server-21.1.5 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In Thunderbird-102.6.0, six security vulnerabilities were fixed, four of them rated as High by upstream. Details at mfsa-2022-53. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. These vulnerabilities have been assigned CVE-2022-46872, CVE-2022-46874, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881 and CVE-2022-46882.
To fix these vulnerabilities, update to Thunderbird-102.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.6.0esr, six security vulnerabilities were fixed, four of them rated as High by upstream. Details at mfsa-2022-52. CVE-2022-46882 has now been rated as Critical by nvd.nist.gov. These vulnerabilities have been assigned CVE-2022-46872, CVE-2022-46874, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881 and CVE-2022-46882.
To fix these vulnerabilities, update to Firefox-102.6.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Wireshark-4.0.2, two security vulnerabilities were fixed that could allow for a denial of service (CPU resource exhaustion) due to infinite loops in protocol dissectors. These vulnerabilities impact the BPv6, OpenFlow, and Kafka protocol dissectors in particular, and can be triggered either via a malicious PCAP packet trace, or when using Wireshark to capture packets on a network. If you are using Wireshark on a network where BPv6, OpenFlow, or Kafka packets may be transmitted, update to Wireshark-4.0.2. These vulnerabilities have not been assigned CVEs at this time, but more details about them can be found here: Wireshark Security Advisory 2022-09 and Wireshark Security Advisory 2022-10.
To fix these vulnerabilities, update to Wireshark-4.0.2 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Ruby-3.1.3, a security vulnerability was fixed that can allow for HTTP response splitting in applications which use the 'CGI' gem. If an application which uses the built-in 'CGI' gem generates HTTP responses with untrusted/verified user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. The contents for the CGI::Cookie object were also not checked properly. If an application creates a cookie using that malicious user input, an attacker could inject invalid attributes into the Set-Cookie header. Since this gem is built into the Ruby interpreter itself, it's recommended to update even if you don't have applications which use HTTP requests which are written in Ruby. This vulnerability has been assigned CVE-2021-33621.
To fix this vulnerability, update to Ruby-3.1.3 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In Linux-6.0.11 (and Linux-5.15.81), a security vulnerability has been fixed. It affects 12th gen intel processors integrated graphics. The full consequences are not yet analyzed, but it allows an attacker to get R/W access to physical memory through the GPU, possibly leading to data leaks and memory corruption. This vulnerability has been assigned CVE-2022-4139.
To fix this vulnerability, update to Linux-6.0.11 (or Linux-5.15.81) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-102.5.1, a security vulnerability was fixed, rated as Moderate by upstream. Details at mfsa-2022-50. This vulnerability has been assigned CVE-2022-45403.
To fix this vulnerability, update to Thunderbird-102.5.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Linux-6.0.8 (and Linux-5.15.78), three security vulnerabilities have been fixed. One of those could be exploited with a malicious USB device and trivially cause a kernel panic. If KASLR is disabled or bypassed, the exploitation might cause an arbitrary code execution as well. The consequences of other two vulnerabilities are not fully published yet. These vulnerabilities have been assigned CVE-2022-3628, CVE-2022-42895, and CVE-2022-42896.
To fix these vulnerabilities, update to Linux-6.0.8 (or Linux-5.15.78) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-102.5.0, thirteen security vulnerabilities were fixed, seven of them rated as High by upstream. Details at mfsa-2022-49. These vulnerabilities have been assigned CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420 and CVE-2022-45421.
To fix these vulnerabilities, update to Thunderbird-102.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Samba-4.17.3, a security vulnerability was fixed that could allow for arbitrary code execution or application crashes on 32-bit systems. These occur due to the same bug as the one in krb5, because Samba uses a bundled copy of MIT Kerberos (and the Heimdal implementation is also impacted). If you are using Samba in a server capacity on a 32-bit system, update to Samba-4.17.3 immediately. This vulnerability has been assigned CVE-2022-42898.
To fix this vulnerability, update to Samba-4.17.3 or later using the instructions from Samba (sysv) or Samba (systemd).
In krb5-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution or application crashes on 32-bit systems. These occur due to a bug which allows remote attackers to read beyond the bounds of allocated memory, due to an integer overflow. Note that Samba is also impacted by this vulnerability, but is again only affected on 32-bit systems. Privileged attackers can also cause applications to crash which rely on the Kerberos libraries, rather than just the Kerberos applications (such as krb5kdc and kadmind). Since this vulnerability only affects 32-bit systems, the severity is only listed as Medium. However, if you are running such a system, especially in a server capacity, you should update to krb5-1.20.1 immediately. This vulnerability has been assigned CVE-2022-42898.
To fix this vulnerability, update to krb5-1.20.1 or later using the instructions from MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd).
In Firefox-102.5.0esr, twelve security vulnerabilities were fixed, seven of them rated as High by upstream. Details at mfsa-2022-48. These vulnerabilities have been assigned CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45418, CVE-2022-45420 and CVE-2022-45421.
To fix these vulnerabilities, update to Firefox-102.5.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In the Javascript code of firefox-102.5.0 there is a fix for a Use After Free of a Javascript Realm, which could cause a potentially exploitable crash, rated as High by Mozilla - see CVE-2022-45406 in mfsa-2022-48. Further details may appear at CVE-2022-45406.
To fix this, update to JS-102.5.0 or later using the instructions for JS102 (sysv) or JS102 (systemd).
In xfce4-settings-4.16.5, a security vulnerability was fixed that could allow for argument injection when processing MIME types. This could allow an attacker to inject arguments, such as a path to a remote filesystem, into a MIME type when using the xfce4-mime-settings program (or using "Default Applications" within the Settings Manager). The details for this vulnerability are sparse at this time, with the only mentions of it being within a release note, and the Gitlab issue is not public yet. As a result, it is unknown if a CVE has been assigned. However, more details can be found at the upstream commit and the XFCE Mailing List Announcement.
To fix this vulnerability, update to xfce4-settings-4.16.5 or later using the instructions from xfce4-settings (sysv) or xfce4-settings (systemd).
In sysstat-12.6.1, a security vulnerability was fixed that could allow for remote code execution when using the sysstat utilities. This occurs due to a size_t overflow in the shared code between all of the utilities. The function in question, allocate_structures, does not check boundaries before arithmetic manipulation, allowing for an overflow in the size allocated for representing system activities. This can lead to remote code execution, but only affects 32-bit machines. 64-bit machines are thus immune to this vulnerability. Note that the most common way of triggering this vulnerability is by displaying activity files. This vulnerability has been assigned CVE-2022-39377.
To fix this vulnerability, update to sysstat-12.6.1 or later using the instructions from sysstat (sysv) or sysstat (systemd).
In PHP-8.1.12, two security vulnerabilities were fixed in a couple of the internal modules that could allow for passing specially crafted data to a web application, to trigger an out-of-bounds read error, to read contents of memory on the system, decrypt information, and to execute arbitrary code. Both of these vulnerabilities are a result of insufficient input validation and buffer overflows. One of them is in the hashing library and is due to an underlying bug in the XKCP SHA-3 Reference Implementation, and the other occurs in the imageloadfont() function when the GD module is in use. If you run an application that uses the GD or Hash modules in PHP, you should update to the latest version immediately. These vulnerabilities have been assigned CVE-2022-31630 and CVE-2022-37454.
To fix these vulnerabilities, update to PHP-8.1.12 using the instructions for PHP (sysv) or PHP (systemd).
In ntfs-3g-2022.10.3, a security vulnerability was fixed that could allow for execute arbitrary code at the kernel level. Note that successful exploitation of this vulnerability requires physical access to the computer in order to insert a compromised USB flash drive. The vulnerability is a result of invalid verification of some of the NTFS metadata, and it is classified as a buffer overflow. This vulnerability is exploitable by both the ntfs-3g driver, as well as all of the NTFS utilities (which may be used on systems where creating or checking a NTFS filesystem is necessary). If you regularly use external media which is shared with other users, updating to ntfs-3g-2022.10.3 is recommended. This vulnerability has been assigned CVE-2022-40284.
To fix this vulnerability, update to ntfs-3g-2022.10.3 using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).
In Pixman-0.42.2, a security vulnerability was fixed that could allow for either arbitrary code execution or denial-of-service, depending on the context that the library is used in. This vulnerability was caused due to an integer overflow in the rasterize_edges_8() function, and is classified as an out-of-bounds write/heap buffer overflow. A proof of concept for this vulnerability exists in the wild, but just causes a crash. Since Pixman is used in most web broswers for pixmap processing, it is recommended that you update to the latest version as soon as possible. This vulnerability has been assigned CVE-2022-44638.
To fix this vulnerability, update to Pixman-0.42.2 or later using the instructions for Pixman (sysv) or Pixman (systemd).
In zlib-1.2.13, a security vulnerability was fixed that could allow for arbitrary code execution when an application calls inflateGetHeader with an overly large gzip header extra field. This is caused by a heap buffer overflow or a buffer over-read. Zlib is used in many, many packages, but is often not advertised as such, such as cURL and Node.js. A public exploit exists for this vulnerability, and exploitation is trivial. Upstream has pulled the previous version of zlib for download, so this one must be used when constructing new LFS 11.2 systems. Update to zlib-1.2.13 immediately. This vulnerability has been assigned CVE-2022-37434.
To fix this vulnerability, update to zlib-1.2.13 using the instructions from zlib (sysv) or zlib (systemd).
NOTE: When upgrading zlib-1.2.13, update the stripping commands in Chapter 8 to use libz.so.1.2.13 instead of libz.so.1.2.12. This wil prevent your system from breaking after running the stripping commands.
In node.js-18.12.1, three security vulnerabilities were fixed. Only one applies to the version (16.18.0) which is in the stable book. It allows an attacker to perform DNS rebinding and execute arbitrary code by passing an invalid octal IP address during a "--inspect" session. This vulnerability has been assigned CVE-2022-43548.
To fix this vulnerability, update to node.js-18.12.1 or later using the instructions from Node.js (sysv) or Node.js (systemd).
In jasper-4.0.0, two security vulnerabilities were fixed that could allow for a denial of service when processing crafted JPEG2000 images. These occur due to memory leaks in the cmdopts_parse function, and an integer overflow in jasper's inttobits() function, which is used when processing JPEG2000 images. Note that this can be exploited through any application which uses jasper for processing JPEG2000 images, such as ImageMagick, gegl (GIMP), or Qt5 (KDE applications such as Gwenview and Okular). Update this package to avoid crashes in those programs. These vulnerabilities have been assigned CVE-2022-2963 and CVE-2022-40755.
To fix these vulnerabilities, update to jasper-4.0.0 or later using the instructions from jasper (sysv) or jasper (systemd).
In Sudo-1.9.12p1, a security vulnerability was fixed that could allow for arbitrary code execution, privilege escalation, or a denial of service. This vulnerability occurs due to a heap-based buffer overread which happens due to an array out-of-bounds error. This vulnerability has a significantly worse impact on x86_64 systems, while on i686 systems it just causes a crash. This can be triggered by arbitrary local users with access to Sudo by entering a password of 7 characters or fewer. Note that this only affects the default BLFS configuration of Sudo, which does not use PAM. If you use PAM with Sudo, you are immune to this vulnerability. A temporary mitigation is to use a password which is more than 8 characters in length. This vulnerability has been assigned CVE-2022-43995.
To fix this vulnerability, update to Sudo-1.9.12p1 or later using the instructions from Sudo (sysv) or Sudo (systemd).
In OpenSSL-3.0.7, three security vulnerabilites were fixed that could allow for remote code execution and denial of service. Note that one of these vulnerabilities were fixed in OpenSSL-3.0.6, but that version was withdrawn shortly after it was released. In the case of the remote code execution, an attacker can craft a malicious email address which will overflow four attacker-controlled bytes on the stack, which guarantees denial-of-service and potentially also causes remote code execution. One of these vulnerabilities is exploitable by a crafted email address which has several '.' (dots) in them. One of the vulnerabilities also allows for NULL encryption when using a custom cipher, but this is uncommon and no packages in LFS or BLFS use this feature. Note that any of these vulnerabilities can be triggered by a TLS client connecting to a malicious server, and in the case of a TLS server, it's triggered when a malicious client connects after authentication. One of the most common mechanisms reported so far is through sending and receiving email, due to the vulnerabilities being in the X.509 certificate verification code, which is commonly used for S/MIME. These vulnerabilities were originally rated as Critical by upstream, but were later downgraded to High. Update to OpenSSL-3.0.7 immediately on ANY system which has OpenSSL-3.x installed. This includes LFS 11.1 and 11.2. These vulnerabilities have been assigned CVE-2022-3602, CVE-2022-3786, and CVE-2022-3358.
To fix these vulnerabilities, update to OpenSSL-3.0.7 or later using the instructions from OpenSSL (sysv) or OpenSSL (systemd).
In inetutils-2.4, two security vulnerabilities were fixed in the telnet and telnetd programs which could allow for buffer overflows and crashes, leading to denial of service and remote code execution. In the case of the telnet vulnerability, it occurs due to insufficient validation of environment variables, and it leads to remote code execution and also for the potential of escaping restricted shells on embedded devices. It occurs primarily when processing an oversized DISPLAY argument. In the case of the telnetd vulnerability, it occurs when sending a 'IAC EC' or 'IAC EL' character to the daemon, and just results in a crash. In this version of inetutils, there were also several fixes to the 'ftp' and 'tftp' programs which can prevent crashes, but they were not assigned CVE numbers. These crashes do occur due to integer overflows (and thus out-of-bounds access), NULL pointer dereferences, heap buffer overflows, and inifinite macro recusion, so they still should be treated as security problems. These vulnerabilities have been assigned CVE-2019-0053 and CVE-2022-39028.
To fix these vulnerabilities, update to inetutils-2.4 or later using the instructions from Inetutils (sysv) or Inetutils (systemd).
In expat-2.5.0, a security vulnerability was fixed that could allow for a denial of service (or arbitrary code execution) when a system is low on memory. The problem occurs due to overeager destruction of a shared DTD in the XML_ExternalEntityParserCreate function when in situations where the system is out of memory, and it is classified as a use-after-free. This can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries uses them in. This vulnerability has been assigned CVE-2022-43680.
To fix this vulnerability, update to expat-2.5.0 using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In Linux-6.0.6 (and Linux-5.15.76), a security vulnerability was fixed that could allow a local unprivileged attacker to cause a kernel panic when running commands on an ext4 filesystem. This vulnerability occurs due to a directory block check being incorrect, it used to compare the block number against the directory size in bytes. This vulnerability only affects systems with the ext4 filesystem in use, which is the default configuration used in LFS. This vulnerability has been assigned CVE-2022-1184.
To fix this vulnerability, update to Linux-6.0.6 (or Linux-5.15.76) or later using the instructions for Linux Kernel (sysv) or Linux Kernel (systemd).
In OpenJDK-19.0.1, five security vulnerabilities were fixed that could allow an unauthenticated attacker with network access via Kerberos, HTTP, or (more difficult) other protocols, to compromise a Java VM, These vulnerabilities have been assigned CVE-2022-21618, CVE_2022-21619, CVE_2022-21624, CVE_2022-21628, and CVE-2022-39399.
To fix these vulnerabilities, update to OpenJDK-19.0.1 or later using the instructions for OpenJDK (sysv) or OpenJDK (systemd), or the binaries Java (sysv) or Java (systemd).
In cURL-7.86.0, three security vulnerabilities were fixed that could allow for an application to send wrong data or use memory after it's been freed in certain circumstances, for a denial of service when using a .netrc file, and for applications to use HTTP instead of HTTPS by bypassing HSTS checks. The vulnerability which allows for an application to send wrong data, use memory after it's been freed, or cause other unexpected behavior is due to a logic problem which occurs because libcurl may erroneously use the read callback to ask for data to send if the same handle was previously used to issue a 'PUT' request which used that callback. The denial of service when using a .netrc file occurs due to an out-of-bounds access whenever a file ends in a line with consecutive non-white space characters and no new-line. The HSTS bypass occurs when a given URL uses IDN characters that get replaced to their ASCII counterparts as part of the IDN conversion. The primary threat from this vulnerability is cleartext transmission of sensitive information. These vulnerabilities have been assigned CVE-2022-32221, CVE_2022-35260, and CVE-2022-42916.
To fix these vulnerabilities, update to cURL-7.86.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In libtiff-4.4.0, five security vulnerabilities exist which could allow for crashes when using some of the utilities provided by the package. These vulnerabilities occur in the tiffcrop and tiffsplit utilities, and occue due to stack overflows, out-of-bounds reads, and divide-by-zero errors when processing certain crafted files. Upstream has not made a new release at this time, but the BLFS team has generated a patch to fix these vulnerabilities. These vulnerabilities have been assigned CVE-2022-34526, CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, and CVE-2022-2953.
To fix these vulnerabilities, rebuild libtiff-4.4.0 with the patch using the instructions for libtiff (sysv) or libtiff (systemd).
In Samba-4.17.2, three security vulnerabilities were fixed that could allow for bad passwords to be accepted (due to the count not being incremented properly), for a write heap buffer overflow when using GSSAPI, and for a malicious client to escape exported directories via symbolic links. Note that the GSSAPI vulnerability also impacts standard file servers which are not part of an Active Directory or NT4 domain. The symbolic link vulnerability only affects systems which have SMB1 communication enabled, which is not enabled by default. The bad password vulnerability and GSSAPI vulnerability occur in the default configuration though. These vulnerabilities have been assigned CVE-2021-20251, CVE-2022-3437, and CVE-2022-3952.
To fix these vulnerabilities, update to Samba-4.17.2 or later using the instructions for Samba (sysv) or Samba (systemd).
In git-2.38.1, two security vulnerabilities were fixed that could allow for remote code execution on servers where git repositories are stored, and for sensitive information to be exposed to a remote attacker. In the case of sensitive information leakage, this vulnerability can occur when a user runs a 'git clone' in a folder where symbolic links exist. It was originally thought that this exploit only worked on local clones, but it was later discovered that cloning a submodule with the '--recurse-submodules' command can achieve the same goal by having a symbolic link point to a file like '/etc/passwd' inside of the repository. The remote code execution vulnerability occurs in the 'git shell' program, which is used to implement Git's push/pull functionality over SSH. It occurs due to the function that splits command line arguments into an array improperly using an 'int' to represent the amount of entries in the array, which allows remote attackers to intentionally overflow the return value and cause arbitrary heap writes. The vulnerability then occurs when the resulting array is passed to 'execv()'. Upgrade to git-2.38.1 immediately if you are using it on a server, or if you clone untrusted repositories. These vulnerabilities have been assigned CVE-2022-39253 and CVE-2022-39260.
To fix these vulnerabilities, update to git-2.38.1 or later using the instructions for git (sysv) or git (systemd).
In PHP-8.1.11, two security vulnerabilities were fixed that could allow for a denial-of-service (infinite loop) and for cookie spoofing. The denial-of-service happens when the 'phar' command uncompresses 'quines' gzip files because the uncompressor's code would recursively uncompress them. The cookie spoofing attack can be performed either over the network or locally, and allows an attacker to set a standard insecure cookie in the victim's browser which is treated as a '__Host-' or '__Secure-' cookie by PHP applications. Update to PHP-8.1.11 if you use the 'phar' command or if you use cookies in PHP applications. These vulnerabilities have been assigned CVE-2022-31628 and CVE-2022-31629.
To fix these vulnerabilities, update to PHP-8.1.11 or later using the instructions for PHP (sysv) or PHP (systemd).
In Thunderbird-102.4.0, several security vulnerabilities were fixed that could allow for impersonation attacks, device verification attacks, data corruption, cross-origin URL leakage, memory corruption, arbitrary code execution, and denial-of-service conditions. The data corruption, impersonation attacks, and device verification attacks occur when using the Matrix chat protocol within Thunderbird, and can lead to encryption key exfiltration as well as the ability to make messages look like they came from a legitimate source, while being from an attacker-controlled system. The arbitrary code execution issues are due to memory safety problems. These vulnerabilities have been assigned CVE-2022-39249, CVE-2022-39250, CVE-2022-39251, CVE-2022-39236, CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, and CVE-2022-42932.
To fix these vulnerabilities, update to Thunderbird-102.4.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Python-3.10.8, three security vulnerabilities were fixed that could allow for integer overflows, shell code injection, and unsafe text injection. One of these vulnerabilities can occur any time that a list is multiplied by an integer, and is fixed by detecting when the new allocated length is close to the maximum size. The shell code injection vulnerability occurs in the get-remote-certificate.py example script, and was fixed by it no longer using a shell to run openssl commands. The unsafe text injection vulnerability was in the 'mailcap' module and was fixed by refusing to inject that text into a shell command. Instead of using the text, it will throw a warning and act as if a match was not found. These vulnerabilities have not been assigned CVEs, but more details about them can be found at Python 3.10.8 Release Notes..
To fix these vulnerabilities, update to Python-3.10.8 using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
In libxml2-2.10.3, two security vulnerabilities were fixed that could allow for denial-of-service and arbitrary code execution. These occur due to logic errors and integer overflows, and are caused by missing safety checks and missing length limitations. Both of these issues can be triggered when performing operations on XML documents, or when loading the XML documents into memory for processing. These vulnerabilities have been assigned CVE-2022-40304 and CVE-2022-40303.
To fix these vulnerabilities, update to libxml2-2.10.3 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In DHCP-4.4.3-P1, two security vulnerabilities were fixed that could allow for a denial-of-service and memory leak when using the DHCPD server. Note that these vulnerabilities do not affect the 'dhclient' utility. One of these vulnerabilities occur due to a reference counter leak when the server is building responses to leasequery packets, and leads to the server aborting. The other vulnerability occurs when unpacking a packet that has a FQDN option that contains a label with a length greater than 63 bytes. This causes a memory leak that eventually results in the server running out of memory. Update to DHCP-4.4.3-P1 if you are using the DHCPD server. These vulnerabilities have been assigned CVE-2022-2928 and CVE-2022-2929.
To fix these vulnerabilities, update to DHCP-4.4.3-P1 or later using the instructions for DHCP (sysv) or DHCP (systemd).
In dbus-1.14.4, three security vulnerabilities were fixed that could allow for a denial-of-service by sending messages with attached file descriptors in an unexpected format, as well as when receiving messages with invalid type signatures and messages where the length of an array is not a multiple of the length of the element. These are due to assertion failures, use-after-frees, memory corruption, and out-of-bounds reads. Note that this can cause the system D-Bus daemon to crash, as well as any application which links to libdbus, and this can be exploited as an unprivileged user. These vulnerabilities have been assigned CVE-2022-42011, CVE-2022-42010, and CVE-2022-42012.
To fix these vulnerabilities, update to dbus-1.14.4 or later using the instructions from the BLFS book for dbus (sysv) or dbus (systemd).
In OpenSSH-9.1p1, three security vulnerabilities were fixed in OpenSSH tools that could allow for denial of service. These vulnerabilities have not been assigned CVEs, but have been reported as potential security issues. In the case of the ssh-keyscan utility, there is a one-byte overflow when processing SSH- banners. In the case of ssh-keygen, there is a denial-of-service (application crash) in the error path of the file hashing step when signing and verifying the keys that ssh-keygen has generated. In the case of ssh-keysign, there is a denial-of-service when going into the error path as well (both ssh-keygen and ssh-keysign vulnerabilities are due to free() being called twice). Updating to 9.1p1 is recommended if you are encountering crashes when using these utilities. More information can be found at OpenSSH Release Notes.
To fix these vulnerabilities, update to OpenSSH-9.1p1 or later using the instructions from OpenSSH (sysv) or OpenSSH (systemd).
In linux-6.0.2, several security vulnerabilities were fixed that could allow for arbitrary code execution, reading memory from anywhere on the system, out-of-bounds writes and reads, firewall bypasses, and denial of service (kernel panics). These occur in the ALSA (sound), nftables (firewall), TCP/IP, BPF, EFI, and Wireless subsystems. Note that the wireless vulnerabilities can be exploited without being connected to a network, and can be triggered by simply scanning for networks. The ALSA vulnerability occurs when using the OSS API emulation, and the firewall bypass occurs when you are connected to an IRC network. The LFS team recommends updating to a patched kernel immediately, which is one of 6.0.2 or 5.15.75 (if you prefer to use LTS kernels). These vulnerabilities have been assigned CVE-2022-3303, CVE-2022-2663, CVE-2022-40307, CVE-2022-2785, CVE-2022-39190, CVE-2022-3028, CVE-2022-2905, CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, and CVE-2022-42722.
To fix these vulnerabilities, update to Linux-6.0.2 (or Linux-5.15.75) or later using the instructions from Linux Kernel (sysv) or Linux Kernel (systemd).
In Firefox-102.4.0esr, four security vulnerabilities were fixed, two of them rated as High by upstream. Details at mfsa-2022-45. These vulnerabilities have been assigned CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932.
To fix these vulnerabilities, update to Firefox-102.4.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In libksba-1.6.2 a severe bug in parsing ASN.1 structures was fixed. The subsequent binary release of gnupg-2.3.8 (linux uses separate libksba) mentioned this - full details at gnupg blog and it has been assigned CVE-2022-3515.
To fix this, update to Libksba-1.6.2 or later using the instructions for Libksba (sysv) or Libksba (systemd).
In Thunderbird-102.3.0, six security vulnerabilities (on x86 linux, there is another for ARM64, and one on MacOS) were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Details at mfsa-2022-42. These vulnerabilities have been assigned CVE-2022-3266, CVE-2022-40956, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, and CVE-2022-40962.
To fix these vulnerabilities, update to Thunderbird-102.3.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In BIND-9.18.7, six security vulnerabilities were fixed that could allow for denial of service and arbitrary code execution. These occur due to processing large delegations, buffer overreads in statistics channel code, memory leaks in code handling Diffie-Hellman key exchanges, memory leaks when processing ECDSA and EDDSA keys in DNSSEC, and crashes when processing stale caches. Note that the vulnerability when processing large delegations will also cause extremely degraded performance. These vulnerabilities only affect the server, not the client utilities. These vulnerabilities have been assigned CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, and CVE-2022-38178.
To fix these vulnerabilities, update to BIND-9.18.7 using the instructions for BIND (sysv) or BIND (systemd).
In Unbound-1.16.3, a security vulnerability was fixed that could allow for uncontrolled resource consumption due to a non-responsive delegation attack. This can occur over the network and the attack complexity is low, but the only significant impact is to system availability (excessive CPU and memory consumption). The BLFS team recommends updating Unbound if you are using it on a high-traffic server. This vulnerability has been assigned CVE-2022-3204.
To fix this vulnerability, update to Unbound-1.16.3 using the instructions for Unbound (sysv) or Unbound (systemd).
In Node.js-16.17.1, three security vulnerabilities were fixed that could allow for HTTP Request Smuggling and weak randomness when using the HTTP Parser module or the WebCrypto keygen. These vulnerabilities occur due to unchecked return values, bypasses of previous vulnerabilities, and incorrect parsing of Multi-line Transfer-Encoding fields in a HTTP header. These occur inside the internal llhttp module and within the core of the package itself. These vulnerabilities have been assigned CVE-2022-32213, CVE-2022-35255, and CVE-2022-35256.
To fix these vulnerabilities, update to Node.js-16.17.1 using the instructions for Node.js (sysv) or Node.js (systemd).
In expat-2.4.9, a critical security vulnerability was fixed that could allow for arbitrary code execution or denial of service, depending on the context of the program that's calling the library. This occurs due to a use-after-free vulnerability in the doContent function. This can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries usese them in. The BLFS team recommends updating to expat-2.4.9 as soon as possible. This vulnerability has been assigned CVE-2022-40674.
To fix this vulnerability, update to expat-2.4.9 or later using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In WebKitGTK+-2.36.8, two security vulnerabilities were fixed that could allow for remote code execution when processing maliciously crafted web content. A proof of concept exists where a malicious advertisement is sideloaded onto a page. These vulnerabilities occur due to a buffer overflow and an out-of-bounds read, which were fixed with improved memory handling and boundary checking. These vulnerabilities have been assigned CVE-2022-32886 and CVE-2022-32912.
To fix these vulnerabilities, update to WebKitGTK+-2.36.8 by substituting WebKitGTK+-2.36.8 in for the instructions in WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Firefox-102.3.0esr, six security vulnerabilities (on x86, there is another for ARM64 if using WASM) were fixed that could allow for potentially exploitable crashes, session fixation, Content Security Policy bypass and memory safety bugs which may lead to remote code execution. Details at mfsa-2022-41. These vulnerabilities have been assigned CVE-2022-3266, CVE-2022-40956, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, and CVE-2022-40962.
To fix these vulnerabilities, update to Firefox-102.3.0esr or later using the instructions for Firefox (sysv) or Firefox (systemd).
In QtWebEngine-5.15.11, several security vulnerabilities were fixed that could allow for remote code execution, arbitrary file creation and deletion, denial of service, and information disclosure. These vulnerabilities occur due to segmentation violations, use-after-free vulnerabilities, out-of-bounds access, insufficent policy enforcement, heap buffer overflows, and type confusion. These occur in a variety of subsystems, including WebGL, WebRTC, DevTools, V8, Guest View, Filesystem API, and Messaging. These vulnerabilities have been assigned CVE-2022-2610, CVE-2022-2477, CVE-2022-27406, CVE-2022-27405, CVE-2022-27404, CVE-2022-2294, CVE-2022-2295, CVE-2022-2160, CVE-2022-2162, CVE-2022-2158, CVE-2022-2008, CVE-2022-2010, CVE-2022-1854, CVE-2022-1857, and CVE-2022-1855.
To fix these vulnerabilities, update to QtWebEngine-5.15.11 or later using the instructions for QtWebEngine (sysv) or QtWebEngine (systemd).
In Python-3.10.7, a security vulnerability was fixed that could allow for a denial-of-service (application crash) due to algorithmic complexity. This occurs when converting between integers and strings in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32. The new limit is 4300 digits, and there was no limit previously. This vulnerability has been assigned CVE-2020-10735.
To fix this vulnerability, update to Python-3.10.7 using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
In Wireshark-3.6.8, a security vulnerability was fixed that could allow for a denial-of-service (excessive resource consumption) when using the F5 Ethernet Trailer packet dissector. This can occur via packet injection or via reading a crafted capture file, and is caused by an infinite loop. Note that this security vulnerability is only applicable if you are operating Wireshark on a network that has F5 Ethernet Trailer packets passing along it. This vulnerability has been assigned CVE-2022-3190.
To fix this vulnerability, update to Wireshark-3.6.8 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Thunderbird-102.2.1, several security vulnerabilities were fixed that could allow for leakage of sensitive information, objects to be loaded and processed unexpectedly, unauthorized network requests, and denial-of-service attacks. The leakage of sensitive information will occur when composing a reply to an HTML email with a 'META' refresh tag contained within, if the meta tag has a 'refresh' attribute and if the tag contains a URL. Thunderbird then starts a network request that URL and processes any JavaScript that is located within the email as a result (or from the URL), and executes it in the context of the message compose document. The JavaScript code could allow for an unauthorized read or modification of the contents of the email, and could also decrypt mails. The contents can then be transmitted to the network, with it being sent to the URL in the meta tag or to another URL depending on the JavaScript in use. In the case of remote content not being blocked and iframe elements triggering network requests, these occur whenever a user receives an HTML email. The denial-of-service attack can occur when connected to a network using the Matrix chat protocol, and can cause temporary corrpution. Update to Thunderbird-102.2.1 immediately. These vulnerabilities have been assigned CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, and CVE-2022-36059.
To fix these vulnerabilities, update to Thunderbird-102.2.1 using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In curl-7.85.0, a security vulnerability was fixed that could allow for a denial of service when processing cookies. When curl retrieves and parses cookies from an HTTP(S) server, it accepts cookies using control codes. When cookies that contain these control codes are sent back, it might make the server return a 400 response, effectively allowing another site to deny service to related sites. This vulnerability has been assigned CVE-2022-35252.
To fix this vulnerability, update to cURL-7.85.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In poppler-22.09.0, a critical security vulnerability was fixed that allows for arbitrary code execution when PDF files are processed. This uses the same exploit as "FORCEDENTRY" for Apple devices last year, which allowed for trivial remote code execution through WebKit's image processing system. Poppler is used to process PDF files, and a proof of concept exploit which causes a crash is available to the public. Exploitation can happen simply by opening a PDF file, or downloading a PDF file to a location where Tracker or Baloo can index it, or even when printing a PDF file using CUPS. Update to poppler-22.09.0 as soon as possible. This vulnerability has been assigned CVE-2022-38784.
To fix this vulnerability, update to poppler-22.09.0 or later using the instructions for Poppler (sysv) or Poppler (systemd).
Unfortunately, this security update breaks the compilation of two packages (Inkscape and Libreoffice) due to incompatible API changes. The BLFS team has prepared patches for both of these packages.
If you are going to build Inkscape, apply this patch before compiling the package: Inkscape Poppler Fixes Patch.
If you are going to build Libreoffice, apply this patch before compiling the package: Libreoffice Poppler Fixes Patch.
Note that later versions of inkscape (starting with 1.2.2) and libreoffice (starting with 7.4.2.3) have been fixed and the patches are not needed anymore.
In WebKitGTK+-2.36.7, a critical 0day security vulnerability was fixed that allows for trivial remote code execution when processing maliciously crafted web advertisement. This was classified as an out-of-bounds write, and was addressed with improved boundary checking. Visiting a web page, or having content loaded in (such as advertisements), can trigger this vulnerability. There are numerous reports that this vulnerability is under active exploitation, so updating immediately is recommended. This vulnerability has been assigned CVE-2022-32893.
To fix this vulnerability, update to WebKitGTK+-2.36.7 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Thunderbird-102.2.0, five security vulnerabilities were fixed that could allow for address bar spoofing, permission inheritance when processing crafted XSLT documents, data race conditions, and memory safety bugs which may lead to remote code execution. These vulnerabilities have been assigned CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, and CVE-2022-38478.
To fix these vulnerabilities, update to Thunderbird-102.2.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Firefox-102.2.0esr, five security vulnerabilities were fixed that could allow for address bar spoofing, permission inheritance when processing crafted XSLT documents, data race conditions, and memory safety bugs which may lead to remote code execution. If you are staying on 91esr, please note that the corresponding version (91.13.0esr) is the final release of that branch, and you should update to Firefox-102esr. These vulnerabilities have been assigned CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, and CVE-2022-38478.
To fix these vulnerabilities, update to Firefox-102.2.0esr or later (or Firefox-91.13.0esr, although this is the final release of that branch) using the instructions for Firefox (sysv) or Firefox (systemd).
In Linux-6.0-rc2, a race condition allowing an unprivileged, local user to gain write access to read-only memory mappings and increase their privileges on the system was fixed. This vulnerability have been assigned CVE-2022-2590 (not disclosed yet).
This vulnerability affects Linux 5.16 or later, and the fix is not
backported into any stable release yet. To mitigate the vulnerability,
disable CONFIG_USERFAULTFD in the kernel configuration
and rebuild the kernel using the instructions from the LFS book for
Linux Kernel (sysv) or
Linux Kernel (systemd).
No LFS or BLFS components invoke userfaultfd() system call as of
now. If you need to enable CONFIG_USERFAULTFD for some
programs invoking userfaultfd(), update to Linux 6.0-rc2 or later to
fix the vulnerability. But using a release candidate is not
recommended by the editors.
In intel-microcode-20220809, a hardware vulnerability was fixed. When the interrupt controller (APIC) operates in xAPIC (also known as "legacy") mode, the APIC configuration registers are exposed through a memory-mapped I/O (MMIO) page. An attacker able to execute code on a target CPU can perform an unaligned read from the MMIO page, then the vulnerability may cause the APIC to return stale data from previous requests made by the same processor core to the same configuration page, causing a sensitive information disclosure. This vulnerability have been assigned CVE-2022-21233.
Intel recommends to enable x2APIC mode, which disables the xAPIC
MMIO page and instead exposes APIC registers through model-specific
registers (MSRs) to mitigate the issue. Run
dmesg | grep 'x2apic' to see if APIC is operating in
x2APIC mode. If the output contains "x2apic enabled", it indicates
the APIC is already operating in x2APIC mode and no further action is
needed. If there is no output, enable CONFIG_X86_X2APIC
in the kernel configuration and rebuild the kernel, then recheck after
booting the new kernel. If the output contains "x2apic is disabled
because BIOS sets x2apic opt out bit", try to enable x2APIC in the BIOS
setting. If it's not possible, you'll need to update to at least
intel-microcode-20220809 using the instructions for
About Firmware (sysv) or
About Firmware (systemd).
In shadow-4.12.2, a time-of-check time-of-use race condition was fixed. When an administrator is running shadow utilities (useradd or userdel), a local attacker with permissions to write into a directory being operated by the utilitiy can conduct symbolic link attacks, leading to their ability to alter or remove directories outside of this directory. This vulnerability have been assigned CVE-2013-4235.
To fix these vulnerabilities, update to shadow-4.12.2 using the instructions from the BLFS book for Shadow (sysv) or Shadow (systemd). If you are unwilling or unable to update, be careful when you use the utilities from shadow as root. Especially, when you remove a user with userdel, ensure no processes are running as this user first.
In Linux-5.19.2, four security vulnerabilities were fixed. The first one can be exploited by an attacker who tricks the administrator to mount and operate on a maliciously crafted ext file system, causing a denial-of-service (kernel panic). The second or third one can be exploited by an attacker who has already got the CAP_NET_ADMIN priviledge (maybe in one separate namespace) to perform further priviledge escalation. The fourth one allows an unprivileged attacker to cause a denial-of-service (kernel panic) or potential priviledge escalation. These vulnerabilities have been assigned CVE-2022-1184, CVE-2022-2586, CVE-2022-2588, and CVE-2022-2585 (all of them are not disclosed yet).
To fix these vulnerabilities, update to Linux 5.19.2 (or 5.18.19, 5.15.62, 5.10.137 if you prefer to stay on an old kernel series) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In libxml2-2.10.0, a security vulnerability was fixed that could allow for attackers to cause a denial-of-service (application crash). This vulnerability triggers a crash through forged input data, and is caused by the iterwalk function. The primary application that is affected is 'lxml', which is a python wrapper to libxslt and libxml2. Note that libxml2-2.10.0 fixed several other security issues as well, which were not assigned CVEs. This vulnerability has been assigned CVE-2022-2309.
To fix this vulnerability, update to libxml2-2.10.0 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In MariaDB-10.6.9, five security vulnerabilities were fixed that could allow for remote code execution and remotely exploitable crashes. These vulnerabilities consist of assertion failures when processing database queries, segmentation faults, and use-after-free poison vulnerabilities when processing database queries and committing data to disk. These vulnerabilities have been assigned CVE-2022-32082, CVE-2022-32089, CVE-2022-32081, CVE-2022-32091, and CVE-2022-32084.
To fix these vulnerabilities, update to MariaDB-10.6.9 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
In tumbler-4.16.1, a security vulnerability was fixed that could allow for arbitrary code execution and server-side request forgery when indexing certain file types using the gstreamer plugin. This vulnerability was resolved by adding a MIME type check to the gst-thumbnailer plugin, but further details are scarce at this time. More information can be found at XFCE Mailing List, XFCE Upstream Commit, and Issue #65 (when available).
To fix this vulnerability, update to tumbler-4.16.1 or later using the instructions for tumbler (sysv) or tumbler (systemd).
In OpenJDK-18.0.2, three security vulnerabilities were fixed that could allow for arbitrary code execution, corruption of existing Java class files, unauthorized creation, modification, and deletion of data, and unauthorized access to information (reading). These vulnerabilities occur when processing XSLT stylesheets, and when using the Hotspot feature to compile JIT code. These vulnerabilities have been assigned CVE-2022-34169, CVE-2022-21541, and CVE-2022-21540.
To fix these vulnerabilities, update to Java Binaries/OpenJDK-18.0.2 or 17.0.4.1 (LTS) or 11.0.16.1 (LTS) or later using the instructions for Java binaries (sysv) or OpenJDK (sysv) or Java binaries (systemd) or OpenJDK (systemd).
In unrar-6.1.7, a security vulnerability was fixed that could allow for path traversal, allowing for arbitrary files to be written during an extract operation on a crafted archive. This vulnerability is known to be exploited in the wild, and a proof-of-concept exploit exists that allows an attacker to create a .ssh/authorized_keys file in the home directory of whichever user extracts the archive. Update to unrar-6.1.7 as soon as possible. This vulnerability has been assigned CVE-2022-30333.
To fix this vulnerability, update to unrar-6.1.7 or later using the instructions for unrar (sysv) or unrar (systemd).
In rsync-3.2.5, a security vulnerability was fixed that could allow for malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses the files/directories which are sent to the client, and the rsync client performs insufficient validation of file names. A malicious rsync server can overwrite arbitary files in the rsync client target directory and any subdirectories, and a proof-of-concept exploit exists that overwrites the .ssh/authorized_keys file on a system to allow remote attackers to login without a password. Update to rsync-3.2.5 as soon as possible if you are using it's client. This vulnerability has been assigned CVE-2022-29154.
To fix this vulnerability, update to rsync-3.2.5 or later using the instructions for rsync (sysv) or rsync (systemd).
In Python3-3.10.6, two security vulnerabilities were fixed that could allow for open redirection when using the HTTP server and for a use-after-free-based denial of service when using the memoryview function. The HTTP server vulnerability occurs when a URI path contains double slashes (//) in it, and allows for redirection to an attacker controlled point. The memoryview vulnerability occurs when accessing the backing buffer. These vulnerabilities do not have CVEs assigned to them, but more details can be found at their respective bug reports upstream: Bug 87389 and Bug 92888.
To fix these vulnerabilities, update to Python3-3.10.6 or later using the instructions from the BLFS book for Python3 (sysv) or Python3 (systemd).
In GnuTLS-3.7.7, a security vulnerability was fixed that could allow for remotely-exploitable denial of service. This vulnerability occurs due to a double-free error when verifying PKCS#7 signatures using the gnutls_pkcs7_verify function. The highest impact from this vulnerability is an application crash. This vulnerability has been assigned CVE-2022-2509.
To fix this vulnerability, update to GnuTLS-3.7.7 or later using the instructions for GnuTLS (sysv) or GnuTLS (systemd).
In WebKitGTK+-2.36.5 (which had crash problems, fixed by 2.36.6), two security vulnerabilities were fixed that could allow for remote code execution and UI spoofing. The remote code execution vulnerability occurs when processing crafted web content, and is caused by an out-of-bounds write, which was fixed with improved input validation. The UI spoofing issue was resolved with improved UI handling, and occurs when visiting websites which have malicious content in their frames. These vulnerabilities have been assigned CVE-2022-32816 and CVE-2022-32792.
To fix these vulnerabilities, update to WebKitGTK+-2.36.6 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Samba-4.16.4, five security vulnerabilities were fixed that could allow for password change restrictions to be bypassed, forging of password change requests for users, server crashes with LDAP addition and modification requests, and memory information leaks. In a standard BLFS configuration, none of these vulnerabilities are applicable, but some users may use Active Directory with their systems, or the SMB1 protocol for supporting communication with legacy systems. If you use Active Directory with a BLFS system, or use the SMB1 protocol in the Samba server, update to Samba-4.16.4 immediately. These vulnerabilities have been assigned CVE-2022-2031, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746, and CVE-2022-32742.
To fix these vulnerabilities, update to Samba-4.16.4 or later using the instructions for Samba (sysv) or Samba (systemd).
In sqlite-3.39.2, a security vulnerability was fixed that could allow for an array boundary overflow if billions of bytes are used in a string argument to a C API. This could be triggered when importing existing databases in some applications, or when executing large queries. The attack vector is listed as Network, while attack complexity is marked as Low, but no privileges are required to exploit this vulnerability. The primary impact is denial of service (application crashes), and updating sqlite is recommended if you use it on any public-facing web server for a database. This vulnerability has been assigned CVE-2022-35737.
To fix this vulnerability, update to sqlite-3.39.2 using the instructions for sqlite (sysv) or sqlite (systemd).
In libwebp-1.2.3 (which has since been updated to 1.2.4), a security vulnerability was fixed in the lossless encoder that could allow for memory leaks and segmentation faults in applications which attempt to convert JPEG images to WebP images using libwebp. No CVE number has been assigned, but details (such as the commits where this vulnerability was fixed) can be found in the BLFS ticket. More information can be found at BLFS Ticket #16803.
To fix this vulnerability, update to libwebp-1.2.4 or later using the instructions for libwebp (sysv) or libwebp (systemd).
Postgresql up to and including version 14.4 is vulnerable to arbitrary code execution through the use of extension scripts. The assigned CVE's is CVE-2022-2625 (not public yet). Information about the issue can be found at: Postgresql's site.
To fix this, update to postgresql-14.5 or later following the instructions for Postgresql (sysv) or Postgresql (systemd).
Unbound up to and including version 1.16.1 is vulnerable to several
types of ghost domain names
attacks. The assigned CVE's are
CVE-2022-30698
and
CVE-2022-30699.
To fix these, update to Unbound-1.16.2 or later following the instructions for Unbound (sysv) or Unbound (systemd).
In thunderbird 102.1.0 several vulnerabilities were fixed, of which one was rated high. Details at mfsa-2022-32. The CVEs applicable to linux are CVE-2022-2505 (Not yet public), CVE-2022-35318 (Not yet public), and CVE-2022-36319 (Not yet public).
To fix these update to thunderbird-102.1.0 or later using the instructions for: Thunderbird (sysv) or Thunderbird (systemd).
In firefox 102.1.0 several vulnerabilities were fixed, of which one was rated high. Details at mfsa-2022-30. The CVEs applicable to linux are CVE-2022-2505 (Not yet public), CVE-2022-35318 (Not yet public), CVE-2022-36319 (Not yet public).
To fix these update to firefox-102.1.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Linux-5.18.14.3 (and 5.15.57) there are fixes for speculative vulnerabilities which might lead to information disclosure and have been named 'RETBleed'. There are actually two quite different sets of vulnerabilities, for AMD and Intel.
This is particularly an issue for systems shared between multiple clients. The available mitigations vary. If you consider the threat is low, you might wish to disable the mitigations by passing 'retbleed=off'. Enabling the mitigations but not specifying a boot-time option will give you whatever 'auto' means on that particular CPU. All of these mitigations cause some reduction in the I/O per second and tend to slow compilations.
For AMD, this is CVE-2022-29900, which applies to Excavator, Zen1 and Zen2 processors.
For Zen1 and earlier, also Hygon, the options are 'unret' or 'unret,nosmt'. The latter disables the SMT sibling cores, so in effect you only have half the number of CPUs. 'Unret' means replace all 'ret' instructions with 'jmp __x86_return_thunk' on kernel entry. This is apparently not a total solution, an AMD advisory notes that selecting CONFIG_ZERO_CALL_USED_REGS in the kernel config may provide some strength in depth, but does not affect all possible vulnerable sites.
For Zen2, the choices are 'auto' (same as 'unret', in this case it adds STIBP protection for SMT) or 'ibpb' (stronger protection, higher performance impact.
For Intel, this is CVE-2022-29901 for generations 6 to 8, and CVE-2022-28693 for generations 9 to 12. Intel's recommended mitigation for Spectre v2 on generations 6 to 8 (IBRS) was not initially followed in the kernel because of the performance impact. Now, 'auto' (or 'ibpb') selects IBRS and this is applied to generations 6 to 8 processors. For processors from generation 9 to 12, enhanced IBRS (note that it's different from the "original" IBRS) has been used to mitigate Spectre v2 and it will be used to mitigate RETBleed too.
If you need to fix these, update to at least linux-5.18.14 (or linux-5.15.57 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In OpenSSL 3.0.4, 1.1.1p, and earlier 3.0 or 1.1.1 releases, AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. This vulnerability has been assigned CVE-2022-2097, and more details are available at the OpenSSL security advisory. (The OpenSSL security advisory also mentions CVE-2022-2274, but we'd worked around it in the instructions provided by the LFS book. So a LFS development system built "by the book" is not affected.)
If you are not running a 32-bit LFS installation, no action is needed. Otherwise to fix this vulnerability, if you are using OpenSSL 1.1.1 releases, update to OpenSSL-1.1.1q or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd). If you are using OpenSSL 3.0 releases, update to OpenSSL-3.0.5 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd).
In Xwayland-22.1.3, two security vulnerabilities were fixed that could allow for local attackers to elevate privileges. These vulnerabilities occur due to improper input validation when processing keyboard inputs. Both of these vulnerabilities are classified as out-of-bounds access vulnerabilities, and they occur in the ProcXkbSetGeometry and ProcXkbSetDeviceInfo functions. The vulnerabilities occur due to not validating request lengths. These vulnerabilities have been assigned CVE-2022-2319 and CVE-2022-2320.
To fix these vulnerabilities, update to Xwayland-22.1.3 or later using the instructions for Xwayland (sysv) or Xwayland (systemd).
In xorg-server-21.1.4, two security vulnerabilities were fixed that could allow for local attackers to elevate privileges, and for remote attackers to elevate privileges on systems that use X forwarding. These vulnerabilities occur due to improper input validation when processing keyboard inputs. Both of these vulnerabilities are classified as out-of-bounds access vulnerabilities, and they occur in the ProcXkbSetGeometry and ProcXkbSetDeviceInfo functions. The vulnerabilities occur due to not validating request lengths. These vulnerabilities have been assigned CVE-2022-2319 and CVE-2022-2320.
To fix these vulnerabilities, update to xorg-server-21.1.4 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In GnuPG-2.3.7, a security vulnerability was fixed that could allow for remote attackers to inject information into a signature that allows for signature forgery, and for application crashes for any program that uses GPGME. Note that this vulnerability can also cause repeatable crashes in mail clients such as Mutt and Evolution. This vulnerability has been assigned CVE-2022-34903.
To fix this vulnerability, update to GnuPG-2.3.7 or later using the instructions for GnuPG (sysv) or GnuPG (systemd).
A security vulnerability was discovered in Dovecot-2.3.19.1 that could allow for privilege escalation in some cases where a system administrator has misconfigured Dovecot with multiple password databases. The BLFS Editors have developed a patch to remediate this vulnerability. This vulnerability has been assigned CVE-2022-30550. More details can be found at oss-security posting.
To fix this vulnerability, rebuild Dovecot-2.3.19.1 with the patch using the instructions for Dovecot (sysv) or Dovecot (systemd).
In Seamonkey-2.53.13, several security vulnerabilities were fixed that could allow for memory safety problems, privileged code execution, incorrect error pages, full screen browser spoofing, content security policy bypasses, integer overflows, incorrect email signatures, remotely exploitable crashes, information disclosure, and remote code execution. These vulnerabilities happen during a variety of use cases, so updating as soon as possible is recommended. These vulnerabilities have been assigned CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31747, CVE-2022-1834, CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34481, CVE-2022-31744, CVE-2022-34472, CVE-2022-2200, CVE-2022-2226, and CVE-2022-34484.
To fix these vulnerabilities, update to Seamonkey-2.53.13 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In PHP-8.1.8, a security vulnerability was fixed that could allow for a heap buffer overflow in finfo_buffer when processing input from users or scripts. This occurs when trying to determine the type of file to be processed. This heap buffer overflow mostly causes memory corruption, which leads to a denial of service condition, and there is no evidence in the upstream bug report that it can lead to remote code execution. This vulnerability has been assigned CVE-2022-31627 (not yet available). For more information, see the upstream bug report: PHP Bug 81723.
To fix this vulnerability, update to PHP-8.1.8 or later using the instructions for PHP (sysv) or PHP (systemd).
In node.js-16.16.0, several security vulnerabilities were fixed that could allow for HTTP Request Smuggling and DNS rebinding. An additional security vulnerability was fixed that could allow for a local attacker to modify the OpenSSL configuration for other users due to a hardcoded path check. The HTTP Request Smuggling vulnerabilities occur due to a flawed parsing of the Transfer-Encoding field in an HTTP Header, as well as due to a flaw where CRLF sequences are not properly delimited in HTTP requests. The DNS rebinding vulnerability occurs due to the IsIPAddress function not validating whether an IP address is valid. These vulnerabilities have been assigned CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32212, and CVE-2022-32222.
To fix these vulnerabilities, update to node.js-16.16.0 or later using the instructions for node.js (sysv) or node.js (systemd).
In git-2.37.1, a security vulnerability was fixed that could allow for privilege escalation and remote code execution due to Git not properly checking the ownership of directories in a multi-user system when running comamnds in the local repository configuration. This is similar to CVE-2022-29187 and is due to an incomplete fix. An unsuspecting user could still be affected by the issue, for example when navigating as 'root' into a shared temporary directory that is owned by them, but where an attacker has created a git repository. A temporary workaround is to avoid running git as 'root' or any administrator user. This vulnerability has been assigned CVE-2022-29187.
To fix this vulnerability, update to git-2.37.1 or later using the instructions for git (sysv) or git (systemd).
In Speex-1.2.1, two security vulnerabilities were fixed that could allow for stack buffer overflows and denial of service when using the 'speexenc' and 'speexdec' utilities to encode and decode WAV files. Note that the primary attack vector is crafted WAV files, and a user must download and run the files against the 'speexenc' and 'speexdec' programs to exploit them. These vulnerabilities have been assigned CVE-2020-23903 and CVE-2020-23904.
To fix these vulnerabilities, update to Speex-1.2.1 or later using the instructions for Speex (sysv) or Speex (systemd).
In WebKitGTK+-2.36.4, two security vulnerabilities were fixed that could allow for remote code execution and undesirable behavior. In the case of the undesirable behavior, it was found that video calls that use WebRTC could be interrupted if the audio capture was interrupted. In the case of the remote code execution vulnerability, processing maliciously crated web content can result in remote code execution - this was a use-after-free issue which was addressed with improved memory management. These vulnerabilities have been assigned CVE-2022-22677 and CVE-2022-26710.
To fix these vulnerabilities, update to WebKitGTK+-2.36.4 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In cURL-7.84.0, four security vulnerabilities were fixed that could allow for denial of service, unpreserved file permissions, and faulty message verification. The faulty message verification occurs when using the FTP protocol with Kerberos support. This flaw makes it possible to inject data into the data stream when downloading files due to improper verification. Note that FTP support with Kerberos combined very rarely used. The unpreserved file permissions vulnerability occurs due to accidentally widening permissions on files which are downloaded from cookies. Note that this can be worked around by using a strict umask. One of the denial of service vulnerabilities occurs when using HTTP compression due to a flaw in cURL's "chained" HTTP compression algorithm support. The number of acceptable "links" in the chain was unbounded, allowing for infinite amounts of memory to be used. The other denial-of-service vulnerability occurs when the Set-Cookie option is used in a HTTP header. A sufficient amount of cookies could cause cURL to deny all further cookies from any other websites. These vulnerabilities have been assigned CVE-2022-32208, CVE-2022-32207, CVE-2022-32206, and CVE-2022-32205.
To fix these vulnerabilities, update to cURL-7.84.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In thunderbird 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others (see SA 11.1 067 below) sounds as if it is high. Details at mfsa-2022-26. The high or assumed high CVEs common are CVE-2022-2200 (Not yet public), CVE-2022-34468 (Not yet public), CVE-2022-34470 (Not yet public), CVE-2022-34479 (Not yet public), CVE-2022-34484 (Not yet public).
To fix these update to thunderbird-102.0 or later using the instructions for: Thunderbird (sysv) or Thunderbird (systemd).
Alternatively, update to thunderbird-91.11.0 as a short-term fix which does not require updated dependencies. Please note that any future versions of the thunderbird 91 series will not be specifically monitored, you should plan to update to the 102 series.
In firefox 91.11.0 and 102.0 several vulnerabilities were fixed, of which four were rated high, and at least one of the others (see SA 11.1 067 below) sounds as if it is high. Details at mfsa-2022-25 (91.11.0) and mfsa-2022-24 (102.0). The high or assumed high CVEs common to 91esr and 102|esr are CVE-2022-2200 (Not yet public), CVE-2022-34468 (Not yet public), CVE-2022-34470 (Not yet public), CVE-2022-34479 (Not yet public), CVE-2022-34484 (Not yet public).
To fix these update to firefox-102.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
Alternatively, update to firefox-91.11.0 as a short-term fix which does not require updated dependencies. Please note that firefox 91esr will have two more releases and then become unsupported.
In the javascript code of firefox-91.11.0 and 102.0 there is a fix for attackers setting undesired attributes on a Javascript object, leading to privileged code execution - CVE-2022-2200. Note that mozilla describe this as 'moderate'. Details are not yet public, see the advisory for firefox-91.11.0 mfsa-2022-25. Further details are expected at CVE-2022-2200 (Not yet public).
To fix this, update to JS-91.11.0 or later using the instructions for JS91 (sysv) or JS91 (systemd).
In OpenSSL 3.0.3, 1.1.1o, and earlier 3.0 or 1.1.1 releases, an improper handling of shell metacharacters allowing command injection were found in the c_rehash script. This may be exploited to execute arbitrary commands, causing a privilege escalation if c_rehash is executed (maybe automatically in some configuration) with privileges. This vulnerability has been assigned CVE-2022-2068, and more details are available at the OpenSSL security advisory.
Use of the c_rehash script is considered obsolete and should be
replaced by openssl rehash command.
To fix this vulnerability, if you are using OpenSSL 1.1.1 releases, update to OpenSSL-1.1.1p or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd). If you are using OpenSSL 3.0 releases, update to OpenSSL-3.0.5 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd). Do not update to OpenSSL-3.0.4 because 3.0.4 contains a severe issue and our workaround for it is no longer in the book.
In Qt5 5.15.6 (commercial), a security vulnerability has been fixed which could allow an out-of-bound write in the qtbase code. The fix has been ported to the repository maintained by kde, and is available in the patch provided for Qt-5.15.5 in BLFS. It is recommended that you update to version 5.15.5 as soon as possible. This vulnerability has been assigned CVE-2022-38593.
To fix this vulnerability, update to Qt-5.15.5 using the instructions for Qt5 (sysv) or Qt5 (systemd).
In gstreamer (and plugins) 1.20.3, seven security vulnerabilities were fixed which dould allow for heap overwrites, leading to arbitrary code execution or denial of service (application crashes). These vulnerabilities occur when processing AVI files, MKV files (which are using zlib, bz2, or LZO compression), MP4 files (which are using zlib compression), and when processing files which use the Matroska video codec. If you are using gstreamer and it's plugins for playing files from the internet, it is recommended that you update to version 1.20.3 of the stack as soon as possible. These vulnerabilities have been assigned CVE-2022-1921, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, and CVE-2022-1920.
To fix these vulnerabilities, update to gstreamer-1.20.3 as well as the plugins using the instructions for gstreamer (sysv) or gstreamer (systemd).
In Exo-4.16.4, a security vulnerability was fixed that could allow for Exo to silently execute malicious .desktop files which come from outside sources, such as from the web. The vulnerability exists due to a logic error which allows for untrusted .desktop files to be executed, and has been resolved by only executing local .desktop files instead. This vulnerability has been assigned CVE-2022-32278.
To fix this vulnerability, update to Exo-4.16.4 or later using the instructions for Exo (sysv) or Exo (systemd).
In PHP-8.1.7, two security vulnerabilities were fixed that could allow for remote code execution and denial of service when the mysqlnd and pgsql modules are in use. In the case of mysqlnd, the vulnerability happens while accepting passwords from a user, and results in a buffer overflow. In the case of pgsql, there is an uninitialized array vulnerability that results in remote code execution. If you have an application which accepts passwords from users (and is written in PHP and uses mysqlnd), or which uses pgsql, update to php-8.1.7 immediately as there are exploits known in the wild. These vulnerabilities have been assigned CVE-2022-31625 (not yet public) and CVE_2022-31626 (not yet public).
To fix these vulnerabilities, update to PHP-8.1.7 using the instructions for PHP (sysv) or PHP (systemd).
In httpd-2.4.54, several security vulnerabilities were fixed that could allow for information disclosure (in applications using mod_lua), authentication bypass (for applications using mod_proxy), denial of service (when using mod_lua or mod_sed), and information disclosure when httpd compares strings (using ap_strcmp_match() or ap_rwrite()). A vulnerability also exists in mod_proxy_ajp that would allow for HTTP Request Smuggling. In a standard configuration, only the information disclosure vulnerabilities for strings are relevant, but some users may have applications which use mod_proxy, mod_lua, or mod_sed, and may be impacted as well. Updating to httpd-2.4.54 is recommended. These vulnerabilities have been assigned CVE-2022-31813, CVE-2022-30556, CVE-2022-30522, CVE-2022-29404, CVE-2022-28615, CVE-2022-28614, CVE-2022-28330, and CVE-2022-26377.
To fix these vulnerabilities, update to httpd-2.4.54 or later using the instructions for Apache (sysv) or Apache (systemd).
In ntfs-3g-2022.5.17, several security vulnerabilities were fixed that could allow for kernel-level code execution. These vulnerabilities all occur due to incorrect validation of several kinds of NTFS metadata, which will cause buffer overflows when a drive (or disk image) is mounted, leading to kernel level code execution. Proof-of-concept exploits for all of these vulnerabilities are floating around in the wild, and updating to the latest version is recommended immediately if you have this package installed. These vulnerabilities have been assigned CVE-2021-46790, CVE-2022-30784, CVE-2022-30786, CVE-2022-30788, CVE-2022-30789, CVE-2022-30783, CVE-2022-30785, CVE-2022-30787.
To fix these vulnerabilities, update to NTFS-3g-2022.5.17 or later using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).
In WebKitGTK+-2.36.3, five security vulnerabilities were fixed that may allow for remote code execution when processing maliciously crafted web content, such as videos, audio files, advertisements, and web pages. These vulnerabilties occur due to improper input validation when processing files, and were classified as memory corruption and use-after-free issues, being fixed by improved state and memory management. Updating to WebKitGTK+-2.36.3 immediately is recommended if you are using it in a web browser capacity. These vulnerabilities have been assigned CVE-2022-26700, CVE-2022-26709, CVE-2022-26717, CVE-2022-26716, and CVE-2022-26719.
To fix these vulnerabilities, update to WebKitGTK+-2.36.3 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In libtiff-4.4.0, two security vulnerabilities were fixed that could allow for denial of service and memory corruption when processing crafted files. These occur in the 'tiffinfo' tool and in the 'tiffcp' tool, which are commonly used by users who need to manipulate TIFF files. These vulnerabilities have been assigned CVE-2022-1354 and CVE-2022-1355.
To fix these vulnerabilities, update to libtiff-4.4.0 using the instructions for libtiff (sysv) or libtiff (systemd).
In CUPS-2.4.2, a security vulnerability was fixed that could allow for a local privilege escalation to root (or the 'lp' user on LFS systems) due to a logic error that occurs when processing internal certificates. Upstream has noted that the vulnerability is trivial to exploit and can occur in the CUPS web interface, which is often used for configuring and installing printers. This vulnerability has been assigned CVE-2022-26691, and more details are available at Mandiant Disclosure.
To fix this vulnerability, update to CUPS-2.4.2 or later using the instructions for CUPS (sysv) or CUPS (systemd).
In thunderbird 91.10.0 several vulnerabilites were fixed, of which six were rated high and one medium. Documented in mfsa-2022-22. The CVEs are CVE-2022-1834 (Not yet public), CVE-2022-31736 (Not yet public), CVE-2022-31737 (Not yet public), CVE-2022-31738 (Not yet public), CVE-2022-31741 (Not yet public), CVE-2022-31742 (Not yet public), CVE-2022-31747 (Not yet public).
To fix these vulnerabilities, update to Thunderbird-91.10.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In NSS-3.68.4, 3.78.1 and 3.79 two bugs with restricted access were fixed. It is assumed these are vulnerability fixes, and in the absence of further details they are rated as high. The bugs are bmo1767590 and bmo1766978
The first of these has now been identified as CVE-2022-31741 in the list of fixes for thunderbird-91.10.0, mfsa-2022-22.
To fix this, update to at least NSS-3.79 using the instructions for NSS (sysv) or NSS (systemd).
In firefox 91.10.0 several vulnerabilities were fixed, of which five were rated high and one rated medium. These are documented in mfsa-2022-21. The CVEs are CVE-2022-31736 (Not yet public), CVE-2022-31737 (Not yet public), CVE-2022-31738 (Not yet public), CVE-2022-31741 (Not yet public), CVE-2022-31742 (Not yet public), CVE-2022-31747 (Not yet public).
To fix these, update to firefox-91.10.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In vim-8.2.5014, 11 vulnerabilities causing vim crashing because of buffer overflow, use after free, uncontrolled recursion, and NULL pointer dereference have been found and fixed. The analysis of some vulnerabilities among them suggests that these might be exploited for remote execution. These vulnerabilities have been assigned CVE-2022-1616, CVE-2022-1620, CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735, CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, and CVE-2022-1796.
To fix these vulnerabilities, update to vim-8.2.5014 or later using the instructions for vim (sysv) or vim (systemd).
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This vulnerabilty has been assigned CVE-2022-1348.
To fix this vulnerabilty, update to logrotate-3.20.1 or later with the instructions for logrotate (sysv) or logrotate (systemd).
A security vulnerability was identified in Seamonkey-2.53.12 that could allow for remote attackers to execute arbitrary code via crafted JavaScript statements. This occurs due to prototype pollution in the top-level await implementation, which can happen when triggering notifications from websites. This is identical to CVE-2022-1802 in Firefox and Thunderbird, but Seamonkey does not contain the required code to be vulnerable to CVE-2022-1529. The BLFS editors have created a patch to prevent this issue from happening. This vulnerabilty has been assigned CVE-2022-1802 (not yet public).
To fix this vulnerabilty, rebuild Seamonkey-2.53.12 with the patch using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In MariaDB-10.6.8, 24 security vulnerabilties were fixed that could allow for remote (and local) attackers to create, modify, and delete data, as well as perform remote code execution on the server in the context of the user which owns the MariaDB server, and cause the server to crash. This occurs due to crafted SQL statements. Updating to MariaDB-10.6.8 is recommended if you run a server which accepts queries from anonymous users, or from the internet. These vulnerabilties have been assigned CVE-2021-46669, CVE-2022-27376, CVE-2022-27377, CVE-2022-27378, CVE-2022-27379, CVE-2022-27380, CVE-2022-27381, CVE-2022-27382, CVE-2022-27383, CVE-2022-27384, CVE-2022-27386, CVE-2022-27387, CVE-2022-27444, CVE-2022-27445, CVE-2022-27446, CVE-2022-27447, CVE-2022-27448, CVE-2022-27449, CVE-2022-27451, CVE-2022-27452, CVE-2022-27455, CVE-2022-27456, CVE-2022-27457, and CVE-2022-27458.
To fix these vulnerabilties, update to MariaDB-10.6.8 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
In cifs-utils-6.15, two security vulnerabilties were fixed that could allow for local attackers to escalate privileges to root, or for information disclosure (credentials) in some situations. The privilege escalation vulnerability happens due to a stack-based buffer overflow, which occurs when parsing the ip= command line argument to the mount.cifs command. The information disclosure vulnerability occurs due to logging errors when a file contains an 'equals sign' (=) that does not equal a valid credentials file. These vulnerabilties have been assigned CVE-2022-27239 and CVE-2022-29869.
To fix these vulnerabilties, update to cifs-utils-6.15 or later using the instructions for cifs-utils (sysv) or cifs-utils (systemd).
In PostgreSQL-14.3, a security vulnerability was fixed that could allow for a user to create objects within a database that could execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, as well as when a superuser ran commands against it. This affects the Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck commands, due to them activating the "security restricted operation" protection mechanism too late, or not at all in some code paths. If you use PostgreSQL for anything in a server capacity, updating PostgreSQL is recommended. This vulnerability has been assigned CVE-2022-1552.
To fix this vulnerability, update to PostgreSQL-14.3 or later using the instructions for PostgreSQL (sysv) or PostgreSQL (systemd).
In OpenJPEG-2.5.0, a security vulnerability was fixed that could allow for remote attackers to crash an application, causing a denial of service. This occurs when an attacker uses a command line option called "-ImgDir" on any of the OpenJPEG tools, when the directory contains 1048576 files. This particular command line option combined with the amount of files is relatively uncommon, but decompressing, compressing, and dumping JPEG2000 files is a rather common operation. If you use OpenJPEG on a folder with millions of JPEG files in it, updating OpenJPEG is recommended. This vulnerability has been assigned CVE-2021-29338.
To fix this vulnerability, update to OpenJPEG-2.5.0 or later using the instructions for OpenJPEG (sysv) or OpenJPEG (systemd).
In Epiphany-42.2, a security vulnerability was fixed that could allow for remote code execution due to a client buffer overflow when processing some crafted HTML documents. The vulnerability exists in the ephy_string_shorten function in the User Interface process, and it occurs due to the number of bytes for a UTF-8 ellipsis character not being properly considered. As a result of this, remote code execution can be achieved by visiting web pages that have overly long titles. This vulnerability has been assigned CVE-2022-29536.
To fix this vulnerability, update to Epiphany-42.2 using the instructions for Epiphany (sysv) or Epiphany (systemd).
In libxml2-2.9.14, a security vulnerability was fixed that can cause out-of-bounds memory writes due to several buffer handling functions not checking for integer overflows. Note that exploitation requires a victim to open a crafted XML file that is multiple gigabytes in size, however other software that uses libxml2's buffer functions, including libxslt, is impacted as well. This vulnerability has been assigned CVE-2022-29824.
To fix this vulnerability, update to libxml2-2.9.14 using the instructions for libxml2 (sysv) or libxml2 (systemd).
In thunderbird 91.9.1 two critical javascript vulnerabilities were fixed, documented in mfsa-2022-19. The CVEs are CVE-2022-1529 (Not yet public), CVE-2022-1802 (Not yet public).
To fix these vulnerabilities, update to Thunderbird-91.9.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 91.9.1 two critical javascript vulnerabilities were fixed, documented in mfsa-2022-19. The CVEs are CVE-2022-1529 (Not yet public), CVE-2022-1802 (Not yet public).
To fix these, update to firefox-91.9.1esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In BIND-9.18.3, On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. This vulnerabilities has been assigned CVE-2022-1183.
To fix this vulnerability, update to BIND-9.18.3 or later using the instructions for BIND (sysv) or BIND (systemd).
In Thunderbird-91.9.0, several security vulnerabilities were fixed. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. It is recommended that you update as soon as possible. These vulnerabilities have been assigned mfsa-2022-18. The CVEs are CVE-2022-1520, CVE-2022-29914, CVE-2022-29909, CVE-2022-29916, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913, and CVE-2022-29917.
To fix these vulnerabilities, update to Thunderbird-91.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Seamonkey-2.53.12, the same security vulnerabilities that were fixed in Firefox (and Thunderbird) 91.9.0 has their fixes ported over. These vulnerabilities have been assigned: mfsa-2022-17. The CVEs are CVE-2022-29909 (Not yet public), CVE-2022-29911 (Not yet public), CVE-2022-29912 (Not yet public), CVE-2022-29914 (Not yet public), CVE-2022-29916 (Not yet public), CVE-2022-29917 (Not yet public).
To fix these vulnerabilities, update to Seamonkey-2.53.12 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In cURL-7.83.1, six vulnerabilities have been fixed. These vulnerabilites may cause cURL to wrongly remove files, mishandle HTTP cookie domains or percent-encoded elements in URLs, ignore security-related option changes reusing connections, or bypass HSTS rules. And, if cURL is built with NSS (BLFS has not mentioned such a configuration), one of the vulnerabilities can cause it to stuck into a dead loop.
These vulnerabilities have been assigned CVE-2022-27778, 27779, 27780, 27781, 27782, and 30115 (not disclosed yet). For details refer to cURL vulnerability list.
To fix them, update to at least cURL-7.83.1 for cURL (sysv) or cURL (systemd).
Intel microcode for Skylake and later processors has been updated to fix an information disclosure vulnerability, Intel-SA-00617 CVE-2022-21151 (not yet public).
To fix this, update to at least microcode-20220510 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In vim-8.2.4814, three vulnerabilities causing vim crashing because of heap buffer overflow or use after free have been found and fixed. These vulnerabilities have been assigned CVE-2022-1154, CVE-2022-1160, and CVE-2022-1381.
To fix these vulnerabilities, update to vim-8.2.4814 or later using the instructions for vim (sysv) or vim (systemd).
In firefox 91.9.0 six CVE issues, five rated High, were fixed. These are listed in mfsa-2022-17. The CVEs are CVE-2022-29909 (Not yet public), CVE-2022-29911 (Not yet public), CVE-2022-29912 (Not yet public), CVE-2022-29914 (Not yet public), CVE-2022-29916 (Not yet public), CVE-2022-29917 (Not yet public).
To fix these, update to firefox-91.9.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
The XMPP protocol is a set of open technologies for instant messaging. It relies heavily on DNS for both servers and client. One part of the protocol defines "_xmppconnect TXT record", which are now known to be vulnerable to Man-in-the-Middle attacks if not using DNSSEC. So The Pidgin developers have decided to remove the associated code in version 2.4.19. This vulnerability has been assigned CVE-2022-26491 (not public yet). More details may be found at the pidgin site.
To fix this, update to pidgin-2.4.19 or later using the instructions for Pidgin (sysv) or Pidgin (systemd).
In openjdk-18.0.1, openjdk-17.0.3 (LTS), and openjdk-11.0.15 (LTS), several security vulnerabilities were fixed that could allow remote unautenticated creation, deletion, modification of, or access to files/data or various denial of services. These vulnerabilities have been assigned CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449, CVE-2022-21476, and CVE-2022-21496.
To fix these vulnerabilities, update to java binaries/openjdk-18.0.1 or 17.0.3(LTS) or 11.0.15(LTS) or later using the instructions for Java binaries (sysv) or OpenJDK (sysv) or Java binaries (systemd) or OpenJDK (systemd).
In libinput-1.20.1, a security vulnerability was fixed that could allow for arbitrary code execution due to a bug in the log handlers. When a device is detected by libinput and initialized, libinput will log several messages with log handlers setup by the calling functions. These log handlers will eventually result in a printf() call. Logging happens with the privileges of the caller - in some cases, that may be root, in other cases it'll occur with whatever the privileges of the current user are. The device name ends up being part of the format string, and a kernel device with printf-style format string placeholders can enable an attacker to run malicious code. An exploit is therefore possible through any device where the attacker can control the device name. A couple examples are /dev/uinput and Bluetooth devices. Upstream has noted that all versions of libinput since 1.10 (released in February of 2018) are affected, and this affects any system that uses either X.org or Wayland, as well as the xf86-input-libinput X.org input driver. This vulnerability has been assigned CVE-2022-1215 (not public yet), however more details can be found at libinput security advisory.
To fix this vulnerability, update to libinput-1.20.1 or later using the instructions for libinput (sysv) or libinput (systemd).
In mutt before mutt-2.2.3 a buffer overflow in uudecoder allows reading past the end of the input line. This has been assigned CVE-2022-1328 (awaiting analysis).
To fix this update to mutt-2.2.3 or later using the instructions for Mutt (sysv) or Mutt (systemd).
The same vulnerability in zgrep which was fixed in zlib-1.2.12 also applies to using xzgrep from xz. Upstream has provided a patch. This vulnerability has been assigned CVE-2022-1271, see tuukani.org/xz.
To fix this, rebuild xz with the xz-5.2.5-upstream_fix-1.patch using the instructions at xz (sysv) or xz (systemd).
In ruby-3.1.2, two security vulnerabilities were fixed that could allow for application crashes and invalid memory reads. These vulnerabilities can be triggered when using Regular Expressions (regex), and when converting a string to a float object. In the case of the regex vulnerability, it gets exploited when using a crafted source string, and causes memory free to be freed twice. In the case of the string-to-float conversion vulnerability, some conversion methods such as Kernel#Float and String#to_f cause a buffer over-read in some circumstances, leading to process termination and potentially invalid memory reads. These vulnerabilities have been assigned CVE-2022-28738 and CVE-2022-28739 (not yet public).
To fix these vulnerabilities, update to ruby-3.1.2 or later using the instructions from Ruby (sysv) or Ruby (systemd).
In git-2.35.3, a security vulnerability was fixed that can allow for local users to run commands from other repositories on the same system. The Git developers mention that all supported platforms with multiple users are affected in one way or another, and have released versions of Git for all maintenance branches to fix this vulnerability. On multi-user systems, Git users might find themselves unexpectedly in a Git worktree. This occurs due to insufficient validation, and can allow users to run commands defined by another user in another repository. A temporary workaround would be to create the folder '.git' on all volumes/folders where Git commands would be run, and then remove Read/Write/Execute rights from all users other than root. Update to git-2.35.3 or later if you're operating a system where multiple users may use Git. This vulnerability has been assigned CVE-2022-24765.
To fix this vulnerability, update to git-2.35.3 or later using the instructions from Git (sysv) or Git (systemd).
In gzip-1.12, a security vulnerability was fixed that can allow for arbitrary file overwrite and command execution when using 'zgrep' on a crafted archive. Upstream says that it's relatively hard to exploit, but the BLFS team has independently confirmed that exploiting this vulnerability is trivial. This vulnerability is only exploitable when GNU Sed is in use, and it occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This would allow a remote attacker to execute commands on a system, or overwrite files, when a user runs 'zgrep' on the file. Please update your gzip package as soon as possible. This vulnerability has been assigned CVE-2022-1271.
To fix this vulnerability, update to gzip-1.12 or later using the instructions from gzip (sysv) or gzip (systemd).
In Linux-5.17.3 (and 5.16.20, 5.15.34 and other stable relases on 2022-04-13) fixes were made for vulnerabilities in the Linux Kernel's ax25 networking subsystem. These vulnerabilities can cause remotely exploitable kernel panics and are all rated as Moderate by upstream. The vulnerabilities has been assigned CVE-2022-1199 (not yet public), CVE-2022-1204 (not yet public), and CVE-2022-1205 (not yet public), with preliminary details at RedHat CVE-2022-1199, RedHat CVE-2022-1204, and RedHat CVE-2022-1205.
To fix these, update to at least linux-5.17.3 (or linux-5.15.34 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In libarchive-3.6.1, several security vulnerabilities were fixed that could allow for application crashes and arbitrary code execution. These occur in the 7zip reader, the ZIP reader, the ISO reader, and the RARv4 reader, as well as in the libarchive API. Note that these vulnerabilities have not been assigned CVEs, but are listed as security fixes by upstream. The primary attack vector for these vulnerabilties is API misuse in another application, with a malformed archive file also being a possibility. For more information, please see Release Libarchive 3.6.1.
To fix these vulnerabilities, update to libarchive-3.6.1 or later using the instructions for libarchive (sysv) or libarchive (systemd).
In Subversion-1.14.2, two security vulnerabilities were fixed that could allow for trivial denial-of-service and for arbitrary file paths to be read. In the case of the denial-of-service vulnerability, only servers that use mod_dav_svn in httpd are impacted. This occurs because mod_dav_svn servers will atempt to use memory which has already been freed, and subsequent attempts to access the same resource will immediately result in httpd crashing. However, in the case of the arbitrary file path read vulnerability, both standard svnserve servers are affected, as well as those which use the mod_dav_svn module in httpd. This vulnerability occurs due to an improper logging implementation, causing sensitive information to be reported even if the information is supposed to be omitted. These vulnerabilities have been assigned CVE-2021-28544 and CVE-2022-24070.
To fix these vulnerabilities, update to Subversion-1.14.2 or later using the instructions for Subversion (sysv) or Subversion (systemd).
In WebKitGTK+-2.36.0, three security vulnerabilities were fixed that could allow for remote code execution. In all three vulnerabilities, the primary attack vector is maliciously crafted web content, as well as local content such as maliciously crafted JPEG or PNG images. Due to the lack of details, updating to WebKitGTK+-2.36.0 is highly recommended. These vulnerabilities have been assigned CVE-2022-22624, CVE-2022-22628, and CVE-2022-22629.
To fix these vulnerabilities, update to WebKitGTK+-2.36.0 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Seamonkey-2.53.11.1, the same security vulnerabilities that were fixed in Firefox (and Thunderbird) 91.7.0 has their fixes ported over. This includes fixes for a browser spoofing vulnerability, a sandbox bypass, an unauthorized addon modification vulnerability, a remotely exploitable crash, and a bug that allows for temporary files downloaded to /tmp to be accessible by other users. These vulnerabilities have been assigned CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, and CVE-2022-26386.
To fix these vulnerabilities, update to Seamonkey-2.53.11.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In libsndfile-1.1.0, several security vulnerabilities were fixed that could allow for heap buffer overflows (causing arbitrary code execution) and denial of service (index out of bounds and uninitialized variables). Since these vulnerabilities were found by oss-fuzz, no CVEs were assigned. However, upstream does list these as security fixes. For more details, please visit Release 1.1.0. If CVEs are assigned for these vulnerabilities in the future, this advisory will be updated.
To fix these vulnerabilities, update to libsndfile-1.1.0 or later using the instructions for libsndfile (sysv) or libsndfile (systemd).
In Thunderbird-91.8.0, several security vulnerabilities were fixed that could allow for remote code execution, memory corruption, remotely exploitable crashes, revoked OpenPGP keys to stay active, and browser spoofing attacks. Similar to previous Thunderbird vulnerabilities, emails that contain HTML in them can be used an attack vector. As a result, it's recommended that you update as soon as possible. These vulnerabilities have been assigned CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, and CVE-2022-28289.
To fix these vulnerabilities, update to Thunderbird-91.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
Another batch of CVEs from Chromium have been fixed in QtWebEngine-5.15.9, and some of these have been actively exploited. As well as those listed below, the Critical vulnerability in the shipped expat-2.4.3 has been fixed. But modern LFS provides a system version of expat which is used, and that was updated before our 11.1 release. If you are on an older LFS system and have not yet updated expat, see the 11.0-068 and 11.1-086 advisories below. The new vulnerabilites are: CVE-2022-1096 (not yet public), CVE-2022-0971 (not yet public), CVE-2022-0610, CVE-2022-0609, CVE-2022-0608, CVE-2022-0607, CVE-2022-0606, CVE-2022-0461, CVE-2022-0460, CVE-2022-0459, CVE-2022-0456, CVE-2022-0311, CVE-2022-0310, CVE-2022-0306, CVE-2022-0305, CVE-2022-0298, CVE-2022-0293, CVE-2022-0291, CVE-2022-0289, CVE-2022-0117, CVE-2022-0116, CVE-2022-0113, CVE-2022-0111, CVE-2022-0109, CVE-2022-0108, CVE-2022-0104, CVE-2022-0103, CVE-2022-0102, CVE-2022-0100.
To fix these, update to 5.15.9 or a later version using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In firefox 91.8.0 eight CVE issues, three rated High, were fixed. These are listed in mfsa-2022-14. The CVEs are CVE-2022-1097 (Not yet public), CVE-2022-1196 (Not yet public), CVE-2022-24713, CVE-2022-28281 (Not yet public), CVE-2022-28282 (Not yet public), CVE-2022-28285 (Not yet public), CVE-2022-28286 (Not yet public), CVE-2022-28289 (Not yet public).
To fix these, update to firefox-91.8.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
Zlib-1.2.12 fixes a vulnerability which allows memory corruption when deflating (i.e. compressing) if the input has many distant matches, see CVE-2018-25032.
To fix this update to zlib-1.2.12 or later using the instructions for Zlib (sysv) or Zlib (systemd).
Note that the update will cause 9 test failures in perl testsuite and these failures should be ignored. And, if you are going to strip the debug symbols for your LFS system, you need to adjust the filename of zlib library in the stripping instruction.
In Linux-5.17.1 (and 5.16.18, 5.15.32 and other stable relases on 2022-03-28), fixes were made for two vulnerabilities in the kernel's nf_tables code, one rated as high. The vulnerabilities has been assigned CVE-2022-1015 (not yet public) and CVE-2022-1016 (not yet public) with preliminary details at RedHat CVE-2022-1015 and RedHat CVE-2022-1016
To fix these, update to at least linux-5.17.1 (or linux-5.15.32 if you intend to stay on a long-term supported kernel) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In Thunderbird-91.7.0, several security vulnerabilities were fixed that could allow for browser window spoofing, sandbox escapes (and thus remote code execution), unauthorized add-on modification, exploitable crashes, and for temporary files to be downloaded to /tmp instead of the user's home directory. Note that the unauthorized add-on modification vulnerability occurs due to a race condition, while the sandbox bypass vulnerability occurs when processing iframes in HTML mail, and that the remotely exploitable crashes occur when a crafted SVG file is loaded as an attachment or when it is embedded in an HTML mail. These vulnerabilities have been assigned CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381, and CVE-2022-26386.
To fix these vulnerabilities, update to Thunderbird-91.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In BIND-9.18.1, four security vulnerabilities were fixed that could allow for denial-of-service conditions (resource exhaustion due to infinite loops and unexpected crashes), and for DNS cache poisoning. In the case of DNS cache poisoning, it's possible for bogus NS records to be cached and used by named if it named needs to recurse for any reason, causing it to obtain and pass on incorrect records. This will cause the client-side cache to become poisoned with incorrect records, leading to queries being made to the wrong servers and thus resulting in false information being returned to clients. This could allow for cache poisoning and for clients to be redirected to malicious sites instead of the original website that they were attempting to access. Note that all four of these vulnerabilities are exploitable remotely, and one of them is only applicable to 32-bit systems. These vulnerabilities have been assigned CVE-2022-0667, CVE-2022-0635, CVE-2022-0396, and CVE-2021-25220.
To fix these vulnerabilities, update to BIND-9.18.1 or later using the instructions for BIND (sysv) or BIND (systemd).
In node.js-16.14.2 the same vulnerability that was fixed in 11.1-012 is reported to have been fixed. Although BLFS links to shared OpenSSL, Node builds using a copy of the OpenSSL headers (1.1.1n in this version) with some changes and additions (in particular, 'quic' protocol support). It is uncertain if using the updated shared system OpenSSL library without updating Node.js would be an adequate remedy.
The vulnerability is CVE-2021-3711. To fix this vulnerability, update to Node.js-16.14.2 or later using the instructions for node.js (sysv) or node.js (systemd).
In httpd-2.4.53, four security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, the others can allow HTTP Request Smuggling, an integer overflow leading to Out Of Bounds Write on 32-bit systems, and overwriting heap memory with attacker provided data. CVE-2022-22719, CVE-2022-22720, CVE-2022-22721 and CVE-2022-23943.
To fix these vulnerabilities, update to httpd-2.4.53 or later using the instructions for Apache (sysv) or Apache (systemd).
A bug which can cause OpenSSL to loop forever when parsing a crafted certificate was fixed in versions 3.0.2 and 1.1.1n. CVE-2022-0778 has been assigned, details at CVE-2021-3711 and openssl 20220315.
To fix this, if using OpenSSL-3 update to OpenSSL-3.0.2 or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd) or if using OpenSSL-1.1.1 update to OpenSSL-1.1.1n or later following the instructions from the LFS-11.0 book but using version 1.1.1n for OpenSSL (sysv) or OpenSSL (systemd).
In Linux-5.16.14, workarounds for hardware vulnerabilities named Branch History Injection have been added. These vulnerabilities may be exploited to cause sensitive information leakage. Read the paper for the details. The vulnerabilities has been assigned CVE-2022-0001 and CVE-2022-0002 (for x86), and CVE-2022-23690 (for ARM, not disclosed yet).
To work around them, update to at least linux-5.16.14
(or 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, 4.9.306 for older
systems using LTS stable kernels) using the instructions from the LFS
book for
Linux Kernel (sysv) or
Linux Kernel (systemd), and disable unprivileged BPF syscall via the kernel
configuration option BPF_UNPRIV_DEFAULT_OFF=y or the
sysctl kernel.unprivileged_bpf_disabled=2.
This security update may have a performance impact especially on AMD CPUs, but the benchmark from LFS editors shows the impact is marginal.
In vim-8.2.4567, a vulnerabilitiy causing vim to overflow the heap buffer and crash handling "z=" in visual mode have been found and fixed. This vulnerability have been assigned CVE-2022-0943.
To fix this vulnerability, update to vim-8.2.4567 or later using the instructions for vim (sysv) or vim (systemd).
In Linux since 5.8, a local privilege escalation vulnerability known as 'Dirty Pipe' has been discovered, see dirtypipe. This has been assigned CVE-2022-0847 (Not yet public).
To fix this, update to at least linux-5.16.11 (or 5.15.25, 5.10.102 for older systems using LTS stable kernels) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
Similar to Thunderbird and Firefox, Seamonkey is vulnerable to CVE-2022-26485 (the XSLT processing vulnerability). This vulnerablity exists when a XSLT parameter is removed during processing, and results in an exploitable use-after-free and subsequent remote code execution with a sandbox escape. This vulnerability is being actively exploited in the wild. Since no new version of Seamonkey is available to fix this vulnerability, the BLFS Editors have crafted a patch which backports the fix from Firefox so that the vulnerability is fixed. Note that Seamonkey is not vulnerable to the WebGPU Processing Vulnerability. Rebuild Seamonkey with the patch as soon as possible. This vulnerability has been assigned CVE-2022-26485.
To fix this vulnerability, rebuild Seamonkey with the patch (or update to a later version) using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In Thunderbird-91.6.2, two security issues which were rated as Critical were resolved. One of these vulnerabilities has to do with XSLT processing, and the other being in the WebGPU IPC Framework. The XSLT processing issue occurs when a parameter is removed during processing, which results in an exploitable use-after-free and subsequent remote code execution with a sandbox escape. The WebGPU vulnerability is similar to the XSLT processing issue, where an unexpected message can lead to a use-after-free resulting in subsequent remote code execution and sandbox escapes. There are multiple active attacks in the wild which are abusing these flaws, and it is thus recommended that you update to Thunderbird-91.6.2 immediately. These vulnerabilities have been assigned CVE-2022-26485 and CVE-2022-26486.
To fix these vulnerabilities, update to Thunderbird-91.6.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 91.6.1 two CVE issues rated Critical were fixed (attacks in the wild). These are listed in mfsa-2022-09. Shortly afterwards, firefox-91.7.0 was released with five more CVE issues fixed, listed in mfsa-2022-11. The CVEs are CVE-2022-26485 (Not yet public), CVE-2022-26486 (Not yet public), CVE-2022-26381 (Not yet public), CVE-2022-26383 (Not yet public), CVE-2022-26384 (Not yet public), CVE-2022-26386 (Not yet public), CVE-2022-26387 (Not yet public).
To fix these, update to firefox-91.7.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In seamonkey-2.53.11, all security vulnerabilities from Firefox/Thunderbird 91.5.0-91.6.1 have been fixed. These security vulnerabilities include fullscreen window spoofing, out-of-bounds memory access, denial of service, heap buffer overflows leading to arbitrary and remote code execution, sandbox escapes, information disclosure, stealth extension updates, unexpected image processing/execution, and security policy bypasses. Most notably, this update prevents attacks where an attacker could take over a system via sending a maliciously crafted email by importing the security fix from Thunderbird-91.6.1. Note that almost all of these vulnerabilities are exploitable remotely and without user interaction. These security vulnerabilities have been assigned CVE-2022-22746, CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22744, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751, CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, CVE-2022-22764, and CVE-2022-0566.
To fix these vulnerabilities, update to seamonkey-2.53.11 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
A security vulnerability was discovered in polkit-0.120 that can lead to a local denial of service. This occurs due to file descriptor exhaustion, and can be exploited by an unprivileged user. However, this is marked as Low because no severity is available from Red Hat at this time, and just results in polkitd crashing. Polkitd will then get restarted via dbus the next time that it is required, so user impact is minimal. This vulnerability has been assigned CVE-2021-4115.
To fix this vulnerability, rebuild polkit-0.120 with the new patch using the instructions for Polkit (sysv) or Polkit (systemd), or update to polkit-0.121 (or a later version) when it becomes available.
In FLAC-1.3.4, two security vulnerabilities were fixed that could allow for remote information disclosure with no privileges required. One of these vulnerabilities requires user interaction to exploit, while the other does not. Both of these security vulnerabilities are due to memory safety issues in the encoder, being out-of-bounds read/write vulnerabilities leading to heap buffer overflows. These vulnerabilities can only be exploited by playing a malicious file, so applications such as tracker-miners (which index files on a hard disk) are not impacted. These vulnerabilities have been assigned CVE-2020-0499 and CVE-2021-0561.
To fix these vulnerabilities, update to FLAC-1.3.4 or later using the instructions for FLAC (sysv) or FLAC (systemd).
In cyrus-sasl-2.1.28, two security vulnerabilities were fixed that could allow for password/information leakage and for denial of service. The denial of service vulnerability exists in the 'common.c' file that is included in all SASL plugins and in the 'libsasl2.so' library itself. The password/information leakage vulnerability exists in the SQL plugin for SASL, and is due to it not escaping the password for an SQL INSERT or UPDATE statement. Both of these vulnerabilities can be exploited remotely. These vulnerabilities have been assigned CVE-2019-19906 and CVE-2022-24407.
To fix these vulnerabilities, update to cyrus-sasl-2.1.28 or later using the instructions for Cyrus-SASL (sysv) or Cyrus-SASL (systemd).
In vim-8.2.4489, four vulnerabilities causing vim to crash handling certain operation sequences or multibyte characters have been found and fixed. These vulnerabilities have been assigned CVE-2022-0685, CVE-2022-0696, CVE-2022-0714, and CVE-2022-0729.
To fix these vulnerabilities, update to vim-8.2.4489 or later using the instructions for vim (sysv) or vim (systemd).
In Thunderbird-91.6.1, a security vulnerability was fixed that could allow for remote code execution when processing new emails. This occurs due to an out-of-bounds write that causes one additional byte to be written into memory when processing a crafted email message. Note that this email does not have to be opened, the vulnerability is exploited when Thunderbird processes the email to add it to it's index. This vulnerability has been assigned CVE-2022-0566.
To fix this vulnerability, update to Thunderbird-91.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In WebKitGTK+-2.34.6, a security vulnerability was fixed that allows for trivial remote code execution, and that requires no user interaction. This vulnerability has been rated as an emergency by Apple, and has resulted in out-of-band security updates for all of it's devices. Processing maliciously crafted images can result in trivial remote code execution, and Apple is aware of several reports that this issue is being actively exploited. This issue is classified as a use-after-free and was fixed in WebKitGTK+ with improved memory management. Due to the severity of this vulnerability and the fact that the vulnerability is being actively exploited, the BLFS team recommends updating to WebKitGTK+-2.34.6 immediately. This vulnerability has been assigned CVE-2022-22620, but additional information can be found at Apple Security Advisory and WSA-2022-0003.
To fix this vulnerability, update to WebKitGTK+-2.34.6 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In expat-2.4.5, several security vulnerabilities were fixed that could allow for remote code execution and denial of service. One of these vulnerabilities allows for remote code execution due to missing validation of UTF-8 characters, such as checks for whether a UTF-8 character is valid in a certain context. This could allow for the characters to be passed elsewhere in the stack, and lead to remote code execution. Another vulnerability exists that allows attackers to insert namespace-separator characters into namespace URIs, allowing for trivial remote code execution or unauthorized access to information. Another vulnerability exists in the build_model function that alows for a denial of service due to stack exhaustion (application crash). In the functions storeRawNames and copyString, integer overflow vulnerabilities exist that allow for remote code execution when processing XML files. Similar to the libxml2 and libxslt vulnerabilities, these can be exploited trivially through malicious advertisements and other crafted web content, but also through other means depending on the context of an application that uses these libraries. The BLFS team recommends updating to expat-2.4.6 as soon as possible. These vulnerabilities have been assigned CVE-2022-25235, CVE-2022-25236, CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315.
To fix these vulnerabilities, update to expat-2.4.5 or later using the instructions for Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In libxml2-2.9.13, a security vulnerability was fixed that could allow for a remote attacker to cause an application crash or cause remote code execution to occur. This occurs due to a use-after-free in the functions that handle ID and IDREF attributes, which are extremely common in XML documents. This update also included fixes for several memory leaks, use-after-free vulnerabilities, and null-pointer dereference crashes in other functions within the libxml2 library. Similar to the libxslt vulnerabilities, these vulnerabilities have been spotted in the wild during attacks utilizing malicious advertisements. The BLFS team recommends updating to libxml2-2.9.13 as soon as possible. This vulnerability has been assigned CVE-2022-23308.
To fix this vulnerability, update to libxml2-2.9.13 or later using the instructions for libxml2 (sysv) or libxml2 (systemd).
In PHP-8.1.3, a security vulnerability was fixed that could allow for a denial of service. This vulnerability occurs due to a logic error in the php_filter_float() function that leads to a use-after-free vulnerability due to it permitting integers to be passed to input that is only supposed to accept floating point numbers. According to Red Hat, this flaw allows an attacker to inject a malicious file, leading to a segmentation fault. If you are not using the php_filter_float() function, upgrading is not important. However, if you are using the php_filter_float() function, you should update as soon as possible. This vulnerability has been assigned CVE-2021-21708.
To fix this vulnerability, update to PHP-8.1.3 or later using the instructions for PHP (sysv) or PHP (systemd).
In libxslt-1.1.35, a security vulnerability was fixed that could allow for remote attackers to exploit heap corruption via a use-after-free in the xsltApplyTemplates function. This vulnerability was originally discovered in Google Chrome (and thus QtWebEngine is affected), where remote attackers were using malicious advertisements with crafted XML documents embedded to cause remote code execution. The vulnerability was found to be in the libxslt library. Additionally, two memory leaks and a double-free (which could lead to denial of service) were fixed. The BLFS team recommends updating to libxslt-1.1.35 as soon as possible, especially if you have QtWebEngine installed. This vulnerability has been assigned CVE-2021-30560.
To fix this vulnerability, update to libxslt-1.1.35 or later using the instructions for libxslt (sysv) or libxslt (systemd).
In util-linux-2.37.4, a security vulnerability was fixed that could allow for local attackers to read information that is normally accessible only by the 'root' user. This vulnerability exists in the 'chsh' and 'chfn' utilities when compiled with support for libreadline, which is the default in LFS. The readline library uses the INPUTRC environment variable to get a path to the user's input settings from /etc/inputrc, but when the library cannot parse the specified file, it prints an error containing data from the file. An example attacker is a user setting INPUTRC to /etc/passwd, and then running chsh (or any other setuid-root application). This flaw thus allows an unprivileged user to read root-owned files, which can lead to privilege escalation and unauthorized access to privileged information. This vulnerability has been assigned CVE-2022-0563.
To fix this upgrade to util-linux-2.37.4 or later using the instructions at util-linux (sysv) or util-linux (systemd) Please be aware that on older systems where the linux headers include 'linux/raw.h' you will need to add '--disable-raw' to the configure, and on systems before /usr was merged (LFS-10.1 and earlier) you should omit '--libdir=/usr/lib' to ensure that the libraries overwrite the existing libraries in /lib.
Another heap-based buffer overflow, causing a crash when repeatedly using :retab, was fixed in vim-8.2.4359. This has been assigned CVE-2022-0572 (undergoing analysis).
To fix this vulnerability update to vim-8.2.4383 or later using the instructions for vim (sysv) or vim (systemd).
BLFS updated to ImageMagick-7.1.0-25 from 7.1.10-4. The changes include two fixes for apparent security vulnerabilities: in 7.1.0-5 fixing a Heap-based buffer overflow in the TIFF coder, and in 7.1.0-13 fixing a stack overflow when parsing a malicious ps image file. No further details of these are available.
To fix these, update to ImageMagick-7.1.0-25 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In MariaDB-10.6.7, several security vulnerabilities were fixed that could allow for application crashes and information disclosure when executing certain SELECT commands. One of these issues occurs due to incorrect usage of used_tables inside of the API. Another occurs due to improper usage of the sub_select_postjoin_aggr() function in the API. Another one occurs due to improper usage of the find_field_in_tables and find_order_in_list API calls due to an unused table common table expression. The rest of the vulnerabilities occur when a SELECT DISTINCT statement is too long, such that they interact with storage-engine resource limitations, and when SELECT is called with other unspecified options. These vulnerabilities have been assigned CVE-2021-46665, CVE-2021-46664, CVE-2021-46661, CVE-2021-46668, CVE-2021-46663, CVE-2022-24052, CVE_2022-24051, CVE-2022-24050, CVE-2022-24048, and CVE-2021-46659.
To fix these vulnerabilities, update to MariaDB-10.6.9 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
In Exempi-2.6.1, several security vulnerabilities were fixed that could allow for information disclosure, vulnerability mitigation bypass, application crashes, arbitrary code execution, and remote code execution. Most of these vulnerabilities are due to stack-based buffer overflows and memory corruption issues, but a few of them are caused by use-after-free problems which result in application crashes. In theory, these vulnerabilities are exploitable by downloading files on systems where Tracker is installed and configured to index the user's home directory, but the primary attack vector listed is users who open crafted files. Due to the highly exploitable nature of these vulnerabilities though, updating to Exempi-2.6.1 as soon as possible is recommended. These vulnerabilities have been assigned CVE-2021-40716, CVE-2021-40732, CVE-2021-36045, CVE-2021-36046, CVE-2021-36052, CVE-2021-36047, CVE-2021-36048, CVE-2021-36050, CVE-2021-36051, CVE-2021-39847, CVE-2021-36053, CVE-2021-36054, CVE-2021-36055, CVE-2021-36056, CVE-2021-36057, CVE-2021-36064, and CVE-2021-36058.
To fix these vulnerabilities, update to Exempi-2.6.1 or later using the instructions for Exempi (sysv) or Exempi (systemd).
In Thunderbird-91.6.0, several security vulnerabilities were fixed that could allow for extension updates to be completed without the users' permission, for images to be dragged-and-dropped as executables, for sandboxed HTML to execute JavaScript, for cross-origin responses to be distinguished between script and non-script content types, for content security policy bypasses, for arbitrary code execution via script execution during an invalid object state, and for remotely-exploitable crashes to occur. These vulnerabilities cannot be exploited, in general, through normal email usage, except for through HTML mail. These vulnerabilities have been assigned CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, and CVE-2022-22764.
To fix these vulnerabilities, update to Thunderbird-91.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Samba-4.15.3, three security vulnerabilities were fixed that could allow for an information leak, for trivial remote code execution, and for the ability to impersonate services on an Active Directory network. The information leak vulnerability occurs via symlinks, and can notify the user of the existence of a file or folder outside of an exported directory share. The remote code execution is trivial to exploit and allows remote attackers to easily execute arbitrary code as root on affected Samba servers which use the VFS module vfs_fruit. This vulnerability exists within the parsing of EA metadata when opening files in smbd. Note that vfs_fruit is most commonly used when an Apple Macintosh device is on the network. This particular vulnerability has been rated a 9.9/10 by NVD. The Active Directory impersonation vulnerability occurs due to checks being bypassed. These checks are supposed to prevent aliased SPNs from being mixed up with standard users. An attacker can exploit this vulnerability by writing to an account that is identical to the name of an existing service. This also allows an attacker to intercept traffic intended for those services, allowing for a significant loss of confidentiality and integrity. These vulnerabilities have been assigned CVE-2021-44141, CVE-2021-44142, and CVE-2022-0336.
To fix these vulnerabilities, update to Samba-4.15.3 or later using the instructions for Samba (sysv) or Samba (systemd) immediately.
In WebKitGTK+-2.34.5, several security vulnerabilities were fixed that could allow for remote code execution, unauthorized information disclosure, application crashes, content security policy bypasses, and malicious JavaScript execution. One of these vulnerabilities has a proof-of-concept exploit available which exfiltrates information out of cookies. Most of these vulnerabilities occur due to memory corruption issues that arise from processing maliciously crafted web pages, videos, and other web content. Updating as soon as possible is advised. These vulnerabilities have been assigned CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, CVE-2021-30984, CVE-2022-22594, CVE-2021-45481, CVE-2021-45482, CVE-2021-45483, CVE-2022-22589, CVE-2022-22590, and CVE-2022-22592.
To fix these vulnerabilities, update to WebKitGTK+-2.34.5 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In gst-plugins-base-1.18.6 (and 1.20.0), a security vulnerability was fixed that could allow for application crashes when presented with malformed files. This occured when calling upon tagdemux during processing of a malicious MP3 file, and happens due to a race condition between typefinding and the end-of-stream event. This vulnerability can be exploited via WebKitGTK+-based browsers by visiting a web page with a corrupted MP3 file present on the page. This vulnerability has not been assigned a CVE, but more details can be found at Gstreamer Issue 967.
To fix this vulnerability, update to gstreamer-1.18.6 or 1.20.0 or later using the instructions for gst-plugins-base (sysv) or gst-plugins-base (systemd).
If you decide to update to gst-plugins-base-1.20.0, you must update the entire stack to 1.20 at the same time.
In zsh-5.8.1, a security vulnerability was fixed that could allow for malicious command execution through the PROMPT_SUBST expansion. An attacker can achieve code execution if they control a command output inside the prompt. This has been demonstrated upstream via the %F argument, and a proof of concept exploit exists that can be used to trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name. This was fixed in the shell via preventing PROMPT_SUBST evaluation on prompt-expansion arguments. This vulnerability has been assigned CVE-2021-45444.
To fix this vulnerability, update to zsh-5.8.1 or later using the instructions for zsh (sysv) or zsh (systemd).
In Wireshark-3.6.2, several security vulnerabilities were fixed that could allow for a remote attacker to cause a denial-of-service due to application crashes and excessive resource consumption. These issues can be exploited on a network where AMP, ATN-ULCS, ASN.1, BP, GDSDB, OpenFlow v5, P_MUL, SoulSeek, TDS, WBXML, WSP, ZigBee ZCL, RTMPT, PVFS, CSN.1, or CMS packets are being transmitted. Note that this is also exploitable via a malicious packet trace file, although the primary attack vector is packets traveling across a network when Wireshark is run. There are no CVEs for these issues, however they have been assigned advisories upstream. More information about these vulnerabilities can be found at wnpa-sec-2022-01, wnpa-sec-2022-02, wnpa-sec-2022-03, wnpa-sec-2022-04, and wnpa-sec-2022-05.
To fix these vulnerabilities, update to Wireshark-3.6.2 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In libarchive-3.6.0, two security vulnerabilities were fixed that could allow for symlink attacks and for a denial of service. One of these vulnerabilities occurs in the copy_string() function, and is classified as a use-after-free that results in a denial of service. The other one occurs when processing the fixup list while extracting an archive. Note that these vulnerabilities can occur in any program which uses libarchive, but the primary attack vector is a user downloading a malicious archive. These vulnerabilities have been assigned CVE-2021-31566 and CVE-2021-36976.
To fix these vulnerabilities, update to libarchive-3.6.0 or later using the instructions for libarchive (sysv) or libarchive (systemd).
In libgcrypt-1.10.0, a security vulnerability was fixed that allows for plaintext encryption key revcovery when using the ElGamal implementation in libgcrypt. This was previously fixed in 1.9.4, but the fix was improved upon in libgcrypt-1.10.0. The issue occurs during the interaction between two cryptographic libraries and a dangerous combination of the prime defined by the receiver's public key as well as the generator in the public key and the sender's ephemeral exponents. This allows for a cross-configuration attack leading to plaintext encryption key recovery. This vulnerability has been assigned CVE-2021-40528.
To fix this vulnerability, update to libgcrypt-1.10.0 or later using the instructions for libgcrypt (sysv) or libgcrypt (systemd).
In glibc-2.35, four security vulnerabilities were fixed that could allow for denial of service, remote code execution, information disclosure, arbitrary code execution, and privilege escalation. One of these vulnerabilties occurs due to an off-by-one buffer overflow and underflow in the getcwd() function, which may lead to memory corruption when the size of the buffer is exactly '1'. A local attacker who has the capability of controlling the input buffer and size passed to getcwd() in a SUID-bit enabled program can use this flaw to elevate privileges and execute arbitrary code on the system. Another vulnerability is caused by the realpath() function - in applications which use the realpath_stk() function, it is possible to have unintentional information leakage and disclosure of sensitive data due to an unexpected value being returned with the contents of memory. Another vulnerability exists in the svcunix_create() function in the SunRPC module in glibc. This occurs when the svcunix_create() function copies its path argument on the stack without validating it's length, which results in a buffer overflow and remote code execution (or crashes). The fourth and final vulnerability exists in the clnt_create() function in the SunRPC module. The clnt_create function will copy it's hostname argument on the stack without validating it's length, which results in a buffer overflow and remote code execution or application crashes. These vulnerabilities have been assigned CVE-2022-23219, CVE-2022-23218, CVE-2021-3998, and CVE-2021-3999.
Properly fixing these vulnerabilities can be tricky. To fix them, take a full system backup, and then rebuild glibc with the patch found at glibc-2.34-security_fixes-1.patch, using the instructions for glibc from glibc (sysv) or glibc (systemd).
In Expat-2.4.4, two security vulnerabilities were fixed that could allow for arbitrary code execution and denial of service. These vulnerabilities are classified as signed integer overflows. One of the vulnerabilities occurs when a program calls upon XML_GetBuffer in configurations with a non-zero value of XML_CONTENT_BYTES. The other vulnerability occurs when processing large content via the doProlog function. These vulnerabilities have been assigned CVE-2022-23990 and CVE-2022-23852.
To fix these, update to Expat-2.4.4 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
Intel microcode for Skylake and later processors has been updated to fix two vulnerabilities, a privilege escalation on certain recent Pentium, Celeron and Atom processors Intel-SA-00528 CVE-2021-0146, and for all Skylake and later processors a local Denial of Service Intel-SA-00532 CVE-2021-0127.
To fix these, update to at least microcode-20220207 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In firefox 91.6.0 several CVE issues, two rated High, were fixed. These are listed in mfsa-2022-05. The CVEs are CVE-2022-22754 (Not yet public), CVE-2022-22756 (Not yet public), CVE-2022-22759 (Not yet public), CVE-2022-22760 (Not yet public), CVE-2022-22761 (Not yet public), CVE-2022-22763 (Not yet public), CVE-2022-22766 (Not yet public).
To fix these, update to firefox-91.6.0esr or later using the instructions for: Firefox (sysv) or Firefox (systemd).
In Linux before 5.16.2 or 5.15.16 (current long term stable) a local privilege escalation via heap overflow exists. Details at oss-security. This has been assigned CVE-2022-0185 (Not yet public). Please note that linux-5.16.2 and 5.15.16 had a vulnerabiity in ext4 which could lead to data loss.
Additionally, in Linux before 5.16.4 or 5.15.18 there is a random memory access flaw in the i915 driver which a malicious user can use to crash the system or elevate their privileges. See oss-security. This has been assigned CVE-2022-0330 (Not yet public).
To fix these, update to Linux 5.16.4 or later, or Linux-5.15.18 or later (if you prefer to stick with long-term stable 5.15), or versions from 2022-01-29 or later if for some reason you are using an older stable kernel series) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In addition, there was a bug allowing privilege escalation in the kernel's vmwgfx driver (apparently not exploitable if qemu is used). See oss-security which has been assigned CVE-2022-22942 (Not yet public). The proposed fix for this did not appear on the kernel mailing list, but was included in linux-5.16.4 and other stable kernels released at the same time. Therefore, the workaround to disable the vmwgfx driver on affected systems is not required if you upgrade to linux-5.16.4 or later, or linux-5.15.18 or later.
Several vulnerabilities, three rated as Critical, have been fixed in expat-2.4.3. See CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826 and CVE-2022-22827.
To fix this, update to Expat-2.4.3 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
Many security vulnerabilities in vim have been fixed in versions up to vim-8.2.4236. Fifteen of these have been rated as High by the NVD. Unfortunately, the details are minimal. These vulnerabilities have been assigned CVE-2021-3875, CVE-2021-3903, CVE-2021-3927, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019, CVE-2021-4069, CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-4192, CVE-2021-4193, CVE-2022-0128, CVE-2022-0156, CVE-2022-0158, and CVE-2022-0213.
To fix these vulnerabilities, update to vim-8.2.4236 or later using the instructions for vim (sysv) or vim (systemd).
Two bugs in libmount since version 2.33 have been discovered. These apply to fuse mounts, but one of the examples shows fuse being used to umount /tmp. See oss-security. The CVEs are CVE-2021-3995 (Not yet public) and CVE-2021-3996 (Not yet public).
To fix this upgrade to util-linux-2.37.3 or later using the instructions at util-linux (sysv) or util-linux (systemd) Please be aware that on older systems where the linux headers include 'linux/raw.h' you will need to add '--disable-raw' to the configure, and on systems before /usr was merged (LFS-10.1 and earlier) you should omit '--libdir=/usr/lib' to ensure that the libraries overwrite the existing libraries in /lib.
An Out Of Bounds Write was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. Please see CVE-2021-45930.
To fix this apply the qt-everywhere-src-5.15.2-kf5.15-2.patch (or a later version of the patch if one exists) using the instructions at Qt5 (sysv), or Qt5 (systemd).
In all versions of rust before 1.58.1 an attacker can exploit a race condition to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. The rust security advisory https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html explains this. Pending further analysis, this is rated as High and if you have any privileged rust programs they should be rebuilt if they use this function on paths that may be manipulated with lesser privileges. The programs in BLFS which use rust do not install any privileged programs so most BLFS users who have installed rust will only need to upgrade it.
Please see CVE-2022-21658.
To fix rust, update to rustc-1.58.1 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).
In polkit-0.120, a trivially exploitable vulnerability allowing local privilege escalation has been identified. This vulnerability affects polkit back to 0.92. The details can be found at this Qualys Security Advisory. The vulnerability has been assigned CVE-2021-4034 (not disclosed yet).
To fix this, apply the patch
for polkit >=0.114, <=0.120, or
the rebased patch
for polkit >=0.92, <=0.113 and rebuild polkit. Or, if you don't
use the functionality of the pkexec command, you can unset
the SUID bit on it with chmod -s /usr/bin/pkexec
as the root user, as a workaround.
A security advisory has been published by GnuTLS developers: GNUTLS-SA-2022-01-17. This vulnerability has been classified as a memory corruption vulnerability in the gnutls_x509_trust_list_verify_crt() vulnerability which occurs when a single trust list object is shared among multiple threads. A CVE identifier has not been issued for this vulnerability.
To fix this vulnerability, update to GnuTLS 3.7.3 or a later version using the instructions for GnuTLS (sysv), or GnuTLS (systemd).
Thirty-one more CVEs (from Chromium) in QtWebEngine, of which at least seventeen are rated as High, have been fixed in the 5.15.8 version: CVE-2021-4102, CVE-2021-4101, CVE-2021-4099, CVE-2021-4098, CVE-2021-4079, CVE-2021-4078, CVE-2021-4062, CVE-2021-4059, CVE-2021-4058, CVE-2021-4057, CVE-2021-38022, CVE-2021-38021, CVE-2021-38019, CVE-2021-38018, CVE-2021-38017, CVE-2021-38015, CVE-2021-38012, CVE-2021-38010, CVE-2021-38009, CVE-2021-38007, CVE-2021-38005, CVE-2021-38003, CVE-2021-38001, CVE-2021-37996, CVE-2021-37993, CVE-2021-37992, CVE-2021-37989, CVE-2021-37987, CVE-2021-37984, CVE-2021-3541, CVE-2021-3517.
To fix these, update to 5.15.8 or a later version using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In Thunderbird-91.5.0, several security vulnerabilities were fixed that could allow for being unable to leave fullscreen mode, for out-of-bounds memory access (when inserting text in edit mode), for use-after-free crashes when certain network request objects were freed too early, for crashes when processing CSS filter effects, for crashes when playing audio files, for iframe sandbox escapes, origin spoofs, leakage of cross-origin URLs through the securitypolicyviolation event, and for remote code execution due to memory safety issues. An additional security vulnerability was fixed that could allow for crashes when handling empty PKCS#7 sequences. These vulnerabilities have been assigned CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, and CVE-2022-22751.
To fix these vulnerabilities, update to Thunderbird-91.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Epiphany-41.3, four security vulnerabilities were fixed that could allow for cross-site scripting (XSS) to take place. These security vulnerabilities occurred in the about:overview page, the PDF.js PDF reader (using a server's suggested_filename as the pdf_name), when using the View Source mode or Reader Mode to view a page title, and via all internal error pages. These vulnerabilities have been assigned CVE-2021-45085, CVE-2021-45086, CVE-2021-45087, and CVE-2021-45088.
To fix these vulnerabilities, update to Epiphany-41.3 or later using the instructions for Epiphany (sysv) or Epiphany (systemd).
In systemd-249 (and systemd-250), a security vulnerability exists that allows for uncontrolled recursion in the systemd-tmpfiles program. systemd-tmpfiles creates, modifies, and deletes temporary files and directories on system startup. While this vulnerability is just classified as a denial-of-service, it is also possible to cause PID1 to Segmentation Fault when this is exploited. It is also possible to create arbitrary files if an attacker can catch a folder while it is still world-writable. If you use systemd, it is recommended that you patch your installation immediately. In response to this, the BLFS Editors have developed a patch for both version 250 (which is for the development books), and for 249 (which is the version that shipped with LFS/BLFS 11.0). This vulnerability has been assigned CVE-2021-3997.
If you are using systemd-250, apply the patch using the instructions for systemd (systemd).
If you are using systemd-249, apply the new upstream fixes patch located at systemd-249-upstream_fixes-2 and rebuild systemd.
In cryptsetup-2.3.6, a security vulnerability was identified that allows for decryption of data during crash recovery on a LUKS2-encrypted device. This attack does require physical access to the device, but no knowledge of user passphrases. An attacker can modify on-disk metadata to simulate encryption in progress with a crashed (unfinished) reencryption step, which allows for persistent decryption of the device. If you are using cryptsetup for anything other than a build dependency, you should update to 2.4.3 immediately. Note that you need to finish any encryption tasks that are currently in progress to prevent any data corruption/data loss. This vulnerability has been assigned CVE-2021-4122.
To fix this vulnerability, update to cryptsetup-2.4.3 or later using the instructions for cryptsetup (sysv) or cryptsetup (systemd).
In gfbgraph-0.2.4, a security vulnerability was discovered that causes gfbgraph to fail to perform TLS certificate validation when downloading or uploading photos or graphs from remote sources. This is because it does not enable TLS certificate validation on the SoupSessionSync objects it creates. This allows for remote injection/modification of graphs and for remote code execution. Note that this is almost identical to CVE-2016-20011 in libgrss, and CVE-2021-39365 in Grilo. This vulnerability has been assigned CVE-2021-39358.
To fix this vulnerability, update to gfbgraph-0.2.5 or later using the instructions for gfbgraph (sysv) or gfbgraph (systemd).
In libgrss-0.7.0, a security vulnerability was discovered that causes libgrss to fail to perform TLS certificate validation when downloading feeds. This allows remote attackers to manipulate the contents of feeds without detection and execute code on the machine remotely. This is another issue related to libsoup's SoupSessionSync default behavior. The BLFS developers have produced an update to the bugfixes patch for libgrss that fixes this vulnerability. This vulnerability has been assigned CVE-2016-20011.
To fix this vulnerability, rebuild libgrss with the patch (or update to a later version) using the instructions for libgrss (sysv) or libgrss (systemd).
In firefox 91.5.0 several CVE issues, some rated High, were fixed. These are listed in mfsa-2022-02. The CVEs are CVE-2021-4140 (Not yet public), CVE-2022-22737 (Not yet public), CVE-2022-22738 (Not yet public), CVE-2022-22739 (Not yet public), CVE-2022-22740 (Not yet public), CVE-2022-22741 (Not yet public), CVE-2022-22742 (Not yet public), CVE-2022-22743 (Not yet public), CVE-2022-22745 (Not yet public), CVE-2022-22747 (Not yet public) and CVE-2022-22751 (Not yet public).
To fix these update to firefox-91.5.0esr or later : Firefox (sysv) or Firefox (systemd).
In node.js-16.13.2, four medium-severity vulnerabilities were fixed. Initial details are at node.js/news. These vulnerabilities have been assigned CVE-2021-44531, CVE-2021-44532, CVE-2021-44533 and CVE-2021-21824.
To fix these vulnerabilities, update to Node.js-16.13.2 or later using the instructions for node.js (sysv) or node.js (systemd).
In Grilo-0.3.14, a security vulnerability was fixed that could allow for man-in-the-middle attacks and silent TLS encryption downgrades. This problem exists due to TLS certificate validation not being enabled on the SoupSessionAsync objects that grilo creates. This could also allow for commands and false data to be injected into a stream of data, depending on the context where Grilo is used. According to the National Vulnerability Database, this vulnerability can result in high confidentiality impact (information leakage), due to the silent TLS encryption downgrade. This vulnerability has been assigned CVE-2021-39365.
To fix this vulnerability, update to Grilo-0.3.14 or later using the instructions for Grilo (sysv) or Grilo (systemd).
In make-ca-1.9, a misinterpretion of input causes the generated trust store to contain some certificates explicitly untrusted by Mozilla. These certificates were the anchors of some already hacked CAs. Hostile attackers may exploit it and perform a MIM attack if they have kept the certificates obtained by defrauding those CAs. For more information see GHSA-m5qh-728v-4xrx. This vulnerability has been assigned CVE-2022-21672.
To fix this vulnerabilitiy, update to make-ca-1.10 or later using the
instructions for
make-ca (sysv) or
make-ca (systemd),
and run make-ca -r as the root user to regenerate the trust
store after the update.
In Wireshark-3.6.1, six security vulnerabilities were fixed that could allow for remote attackers to cause Wireshark to crash or get stuck in an infinite loop, which can cause resource exhaustion. This can occur via packet injection while Wireshark is capturing packets and dissecting them, or via a crafted capture file. This can occur when Wireshark is being used on a network with Sysdig Event, BitTorrent, RTMPT, or Kafka packets being sent and received, or when examining/parsing *.pcapng or RFC 7468 files. If you use Wireshark to examine *.pcapng or RFC 7468 files, or are using Wireshark on a network where there may be Sysdig Events, BitTorrent, RTMPT, or Kafka packets being sent or received, update to Wireshark-3.6.1. These vulnerabilities have been assigned CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, and CVE-2021-4181.
To fix these vulnerabilities, update to Wireshark-3.6.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
The BLFS Editors have become aware of six security vulnerabilities in wpa_supplicant that are known upstream, and have created a patch to fix them. These vulnerabilities allow for packets to be accepted across networks without any validation (known as CallStranger), remote code execution, crashes, forging attacks, and local privilege escalation. Note that no user interaction is required to exploit any of these vulnerabilities. These vulnerabilities have been assigned CVE-2019-16275, CVE-2020-12695, CVE-2021-0326, CVE-2021-27803, CVE-2021-30004, and CVE-2021-0535.
To fix these vulnerabilities, update to wpa_supplicant-2.10 or later using the instructions for wpa_supplicant (sysv) or wpa_supplicant (systemd).
In WebKitGTK+-2.34.3, two security vulnerabilities were fixed that could allow for a bypass of the Content Security Policy (if enabled) and for universal cross-site scripting. These were both addressed with improved state management and CSP changes, and are classified as logic issues. These vulnerabilities have been assigned CVE-2021-30887 and CVE-2021-30890.
To fix these vulnerabilities, update to WebKitGTK+-2.34.3 or later using the instructions for WebKitGTK+ (sysv) or WebKitGTK+ (systemd).
In Seamonkey-2.53.10.1, several security vulnerabilites were fixed. These vulnerabilities could allow for memory corruption, remote code execution, restriction bypass, spoofing attacks, silent encryption downgrade, URL leakage, and enumerating installed applications remotely. Updating to seamonkey-2.53.10.1 is recommended as soon as possible, as some of these security vulnerabilities are under active exploitation. These vulnerabilitites have been assigned CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-43535, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, and CVE-2021-4129 (Not Public).
To fix these vulnerabilities, update to Seamonkey-2.53.10.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In httpd-2.4.52, two security vulnerabilities were fixed. One of the security vulnerabilities can cause a crash, or Server Side Request Forgery, if ProxyRequests is turned on in httpd.conf (enabling forward proxy). An additional security vulnerability exists that can cause a buffer overflow when mod_lua is enabled. This is caused by a carefully crafted request body when r:parsebody() is called from within a Lua script. While no exploit currently exists, it is very likely that one will be created soon according to upstream. If you use mod_lua or ProxyRequests, you should update to httpd-2.4.52 or later as soon as possible. These vulnerabilities have been assigned CVE-2021-44224 and CVE-2021-44790.
To fix these vulnerabilities, update to httpd-2.4.52 or later using the instructions for Apache (sysv) or Apache (systemd).
In PHP-8.1.1, a security vulnerability was fixed that could allow for an out-of-bounds access when using php_pcre_replace_impl() via a crafted preg_replace call. This out-of-bounds access can lead to remote information disclosure or a denial-of-service. Note that this vulnerability originated in PHP-7.1.5 from around 2017. Upgrading PHP if you use preg_replace is suggested. This vulnerability has been assigned CVE-2017-9118.
To fix this vulnerability, update to PHP-8.1.1 or later using the instructions for PHP (sysv) or PHP (systemd).
In Thunderbird-91.3.1, several security vulnerabilities were fixed. These vulnerabilities could allow for restriction bypasses via cross-site scripting, memory corruption / crashes, spoofing attacks, TLS encryption bypass, exposing target URLs during navigation, remotely querying installed applications, sandbox escapes, information disclosure (if you use Matrix via Thunderbird's Chat function), remote code execution, and plaintext recovery of encrypted data (using OpenPGP). Several of these security vulnerabilities are rated as critical by NVD, so you should update as soon as possible. These vulnerabilities have been assigned CVE-2021-40529, CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-43535, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, CVE-2021-43528, CVE-2021-4126 (Not Public), and CVE-2021-44538.
To fix these vulnerabilities, update to Thunderbird-91.4.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
A security vulnerability was brought to the BLFS Editors attention in Lynx. This security vulnerability allows for passwords to be leaked in cleartext on connections which are using HTTPS. In response to this, the BLFS Editors created a patch to fix this vulnerability. The vulnerability only affects users who use HTTPS URLs with Lynx, and who authenticate on that website as well. This vulnerability has been assigned CVE-2021-38165.
To fix this vulnerability, apply the patch in Lynx using the instructions for Lynx (sysv) or Lynx (systemd).
In xorg-server-21.1.2, four security vulnerabilities were fixed that allow for local privilege escalation (on local systems), and remote code execution (on systems which are using SSH forwarding). All four of these vulnerabilities are classified as out-of-bounds access, and are due to improper input valiadtion. One of these vulnerabiilities exists in the Record extension, another in the ScreenSaver extension, another in XFixes, and the last in the Render extension (which handles fonts). Note that these security vulnerabilities were fixed in XWayland as well, so you should install both updates. These vulnerabilities have been assigned CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, and CVE-2021-4011.
To fix these vulnerabilities, update to xorg-server-21.1.2 or later using the instructions for xorg-server (sysv) or xorg-server (systemd).
In XWayland-21.1.4, four security vulnerabilities were fixed that allow for local privilege escalation (on local systems), and remote code execution (on systems which are using SSH forwarding). All four of these vulnerabilities are classified as out-of-bounds access, and are due to improper input valiadtion. One of these vulnerabiilities exists in the Record extension, another in the ScreenSaver extension, another in XFixes, and the last in the Render extension (which handles fonts). Note that these security vulnerabilities were fixed in xorg-server as well, so you should install both updates. These vulnerabilities have been assigned CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, and CVE-2021-4011.
To fix these vulnerabilities, update to XWayland-21.1.4 or later using the instructions for XWayland (sysv) or XWayland (systemd).
In lxml-4.7.1, two security vulnerabilities were fixed that could allow for crafted script content to pass through the HTML Cleaner. This can ocur with SVG files embedded with data URIs, as well as with CSS imports. Note that this only affects packages that use 'lxml' for sanitizing HTML imports, but upstream has rated both security vulnerabilities as high, and has assigned one CVE for both. This set of security vulnerabilities has been assigned CVE-2021-43818.
To fix these vulnerabilities, update to lxml-4.7.1 or later using the instructions for lxml (sysv) or lxml (systemd).
In OpenJDK-17.0.1, there were several security vulnerabilities fixes that could allow for remote code execution, unauthorized modification of data, and denial of service. Some of these occured via malicious image files, as well as TLS bypass and connection hijacking. This update to JDK also prevents exploitation of the log4j security vulnerability, known as Log4Shell. Log4Shell permits trivial remote-code-execution and is being exploited worldwide at an alarming rate. Most Java applications are affected because they use Apache's log4j logging framework. If you have Java installed, you MUST install this update immediately to protect yourself from exploitation. These vulnerabilities have been assigned CVE-2021-35567, CVE-2021-35586, CVE-2021-35564, CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35578, CVE-2021-35603, and helps protect against CVE-2021-44228.
To fix these vulnerabilities, update to OpenJDK-17.0.1 or later using the instructions for OpenJDK (sysv) or OpenJDK (systemd).
Alternatively, you may use the binary the BLFS Editors have produced: Java (sysv) or Java (systemd).
On December 13th, 2021, the BLFS project became aware of several security vulnerabilities in AudioFile and created a patch. These 13 security vulnerabilities include denial of service, arbitrary command execution, and arbitrary code execution vulnerabilities. They occur in a variety of places, such as when playing a .WAV file, editing a .WAV file, or adjusting various settings such as buffer sizes in a WAV file. Some also occur when using the 'sfconvert' command provided with AudioFile. Note that the only package in BLFS that uses AudioFile is KWave. If you have KWave installed, updating to AudioFile with this patch should be done immediately. These vulnerabilities have been assigned CVE-2017-6839, CVE-2017-6838, CVE-2017-6837, CVE-2017-6836, CVE-2017-6835, CVE-2017-6834, CVE-2017-6833, CVE-2017-6832, CVE-2017-6831, CVE-2017-6830, CVE-2017-6829, CVE-2017-6828, and CVE-2017-6827.
To fix these vulnerabilities, apply the patch for AudioFile using the instructions for AudioFile (sysv) or AudioFile (systemd).
In PostgreSQL-14.1 (as well as 13.5, 12.9, 11.14, 10.19, and 9.6.24), two security vulnerabilities were fixed that could allow for both PostgreSQL Client and PostgreSQL Server to process unencrypted bytes from an unauthenticed remote attacker via a man-in-the-middle attack. This is caused by injecting false responses into PostgreSQL during initial authentication. In the case of PostgreSQL Server, this also allows for injection of arbitrary SQL queries when a connection is first established. These vulnerabilities have been assigned CVE-2021-23214 and CVE-2021-23222.
To fix these vulnerabilities, update to PostgreSQL-14.1 or later using the instructions for PostgreSQL (sysv) or PostgreSQL (systemd).
In Ruby-3.0.3, three security vulnerabilities were fixed that could allow for arbitrary code execution, denial of service, and content spoofing. The arbitrary code execution vulnerability exists in the CGI gem, and occurs when large files are passed to CGI.escape_html due to a buffer overflow. The denial of service vulnerability happens when parsing dates using Date.parse(). The content spoofing vulnerability occurs when using CGI::Cookie.parse. This is a resurgence of the CVE-2020-8184 vulnerability, which allows for attackers to modify cookies in transit and for them to be accepted by Ruby without going through any validation. These vulnerabilities have been assigned CVE-2021-41817, CVE-2021-41816, and CVE-2021-41819.
To fix these vulnerabilities, update to ruby-3.0.3 or later using the instructions for Ruby (sysv) or Ruby (systemd).
In PHP-8.0.13, a security vulnerability was fixed that could allow for PHP to read a different file from what the user intended. If a filename cotains a URL-encoded NUL character, this may cause the simplexml_load_file() function to interpret the character as the end of the filename, thus allowing remote attackers to read a different file from what the programmers intended. This vulnerability has been assigned CVE-2021-21707.
To fix this vulnerability, update to php-8.0.13 or later using the instructions for PHP (sysv) or PHP (systemd).
In firefox 91.4.0 several CVE issues, some rated High, were fixed. These are listed in mfsa-2021-53. The CVEs are CVE-2021-4129 (Not yet public), CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546.
To fix these update to firefox-91.4.0esr or later : Firefox (sysv) or Firefox (systemd).
Versions of NSS before 3.73 or 3.68.1-ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Further details at mfsa-2021-51, CVE-2021-43527 (not yet public) .
To fix this, update to at least NSS-3.73 using the instructions for NSS (sysv) or NSS (systemd).
Twenty more CVEs (from Chromium) in QtWebEngine, most rated as High but two rated as Critical, have been fixed in the 5.15.7 version: CVE-2021-37980, CVE-2021-37979, CVE-2021-37978, CVE-2021-37975, CVE-2021-37973, CVE-2021-37972, CVE-2021-37971, CVE-2021-37968, CVE-2021-37967, CVE-2021-37962, CVE-2021-37633, CVE-2021-37630, CVE-2021-37629, CVE-2021-37628, CVE-2021-37627, CVE-2021-37626, CVE-2021-37625, CVE-2021-37618, CVE-2021-37616, CVE-2021-37613.
To fix these, patch the BLFS qtwebengine-5.15.6 tarball with qtwebengine-5.15.6-5.15.7-1.patch followed by qtwebengine-5.15.7-build_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In Wireshark-3.4.10, several denial of service vulnerabilities were fixed, which could exploited through dissecting certain types of packets. These denial-of-service vulnerabilities include application crashes and excessive resource consumption. This can occur when dissecting Bluetooth DHT, HCI_ISO, SDP, and DHT packets, as well as PNRP, C12.22, IEEE-802.11 (WiFi), modbus, and Internet Printing Protocol over USB (IPPUSB) packets. These vulnerabilities have been assigned CVE-2021-39929, CVE-2021-39926, CVE-2021-39925, CVE-2021-39924, CVE-2021-39922, CVE-2021-39928, CVE-2021-39921, and CVE-2021-39920.
To fix these vulnerabilities, update to Wireshark-3.4.10 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Samba-4.15.2 (and Samba-4.14.10), eight security vulnerabilities have been fixed. Several are known to be actively exploited. The details can be found in: CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, and CVE-2021-23192. Note that there are important behavior changes after the fixes are applied. Please read the advisories to see whether you are impacted.
To fix these vulnerabilities update to Samba-4.15.2 or later (or 4.14.10) using the instructions for Samba (sysv) or Samba (systemd).
In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other items. One of the High severity items has now been analyzed as Critical. These are listed in mfsa-2021-49. The items not specifically identified as for mac OS or windows are: CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508 CVE-2021-38509 CVE-2021-43534. CVE-2021-43535 The latter two were initially identified as MOZ-2021-0007 and MOZ-2021-0008 pending allocation of a CVE.
To fix these update to firefox-91.3.0esr or later : Firefox (sysv) or Firefox (systemd).
In versions of BIND prior to 9.16.22, a security vulnerability existed that could allow for remote attackers to cause a service degredation in BIND resolver performance by sending malformed packets to a server. This has to do with a feature called "lame cache", which is enabled by setting the 'lame-ttl' option in named.conf to a number greater than 0. The option is set to 600 in the default configuration, meaning that it's enabled by default. A successful attack results in the internal data structures for the lame cache growing infinitely, which results in a server burning most of it's CPU time on just maintaining the "lame cache", resulting in major slowdown and timeouts on client hosts. This vulnerability is exploitable remotely. To work around this, set 'lame-ttl 0' in named.conf. NOTE: Only the server is affected, you do not need to update if you are running the client utilities. This vulnerability has been assigned CVE-2021-25219.
To fix this vulnerability, update to BIND-9.16.22 or later using the instructions for BIND (sysv) or BIND (systemd).
In Samba-4.15.1 (and Samba-4.14.9), a security vulnerability was fixed that could allow for an authenticaion bypass due to a flaw in the version of Heimdal (a kerberos implementation) that is shipped with Samba. This allows for an authentication bypass identical to the one that can happen on Microsoft Windows installations, which was patched in December of 2020. Note that the attack complexity is rated as High, although it can be performed with no user interaction, and can only be performed over a network. This vulnerability has been assigned CVE-2020-17049.
To fix this vulnerability, update to Samba-4.15.1 or later (or 4.14.9) using the instructions for Samba (sysv) or Samba (systemd).
In ffmpeg-4.4.1 (as well as 4.3.3 and 4.2.5, if you prefer to use those particular versions), 11 security vulnerabilities were fixed that could lead to remote code exection, extraction of sensitive information, and remote denial of service. These occur due to a variety of reasons, including divide-by-zero errors, buffer overflows, heap buffer overflows, memory leaks, out of bounds access, unchecked return values, and assertions being reached due to malicious files. All users who have ffmpeg should upgrade to the latest version of their particular branch. In the case of BLFS 11.0, that would be 4.4.1, but previous versions should upgrade to the relevant branches for that particular book to prevent problems when upgrading. These vulnerabilities have been assigned CVE-2020-20446, CVE-2020-24053, CVE-2020-22015, CVE-2020-22019, CVE-2020-22033, CVE-2020-22021, CVE-2020-22037, CVE-2021-33815, CVE-2021-38114, CVE-2021-38171, and CVE-2021-38291.
To fix these vulnerabilities, update to ffmpeg-4.4.1 or later (or 4.3.3/4.2.5) using the instructions for ffmpeg (sysv) or ffmpeg (systemd).
In exiv2-0.27.5, a total of six denial-of-service security vulnerabilities were fixed. Four of these are in libexiv2, while the other two are in the exiv2 command line utility. These vulnerabilities happen due to a variety of reasons, but they mostly occur due to null-pointer dereferences, out-of-memory crashes, infinite loop bugs, integer divide by zero, and out-of-bounds reads. These vulnerabilities pose no threat other than crashing programs. Because of this, only three of these vulnerabilities were assigned CVEs, while the other three were just mentioned as being security related bugfixes. These vulnerabilities have been assigned CVE-2021-37620, CVE-2021-37621, and CVE-2021-37618.
To fix these vulnerabilities, update to exiv2-0.27.5 or later using the instructions for Exiv2 (sysv) or Exiv2 (systemd).
In PHP-8.0.12 and PHP-7.4.25, a security vulnerability was fixed that allows for privilege escalation (to root) when using the PHP Fast Process Manager (FPM) in it's default configuration. In this case, a remote attacker can execute code on your server as the root process or escalate to root through Apache HTTPD due to a memory access problem in PHP FPM. This vulnerability has existed for the last 10 years, and there is a proof-of-concept and a demo exploit available. If you have php-fpm installed on your system and have the daemon started/enabled, you should update as soon as possible. This vulnerability has been assigned CVE-2021-21703.
To fix this vulnerability, update to php-8.0.12 or later using the instructions for PHP (sysv) or PHP (systemd).
In Thunderbird-91.2.0, several security vulnerabilities were fixed. These vulnerabilities include a downgrade attack on SMTP STARTTLS connections (which could allow for encryption to be downgraded to plaintext and emails to be snooped over the wire), as well as potentially exploitable crashes, memory leaks, and memory corruption. Upgrading to this version of Thunderbird is recommended as soon as possible due to the SMTP STARTTLS downgrade attack. These vulnerabilities have been assigned CVE-2021-38502, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810, CVE-2021-38500, and CVE-2021-38501.
To fix these vulnerabilities, update to Thunderbird-91.2.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Seamonkey-2.53.9.1, a memory safety bug that was present in Firefox was fixed. This memory safety bug is the same bug that was fixed in Firefox-78.14.0. The Mozilla developers believe that this vulnerability may be exploited to allow remote code execution, and updating is suggested. This vulnerability has been assigned CVE-2021-38493.
To fix this vulnerability, update to Seamonkey-2.53.9.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In Samba-4.17.0, a security vulnerability was fixed that could allow for a remote attacker to crash the Samba server process if the Active Directory Domain Controller was configured. This can occur due to a request to the Key Distribution Controller omitting the server name in the request. Since this is a recoverable Denial-Of-Service, a specific version of Samba was not created for this. This vulnerability only affects LFS users if they are configuring their Samba server to run as a domain controller in an Active Directory environment, and if they are using Heimdal (the internal) KDC instead of the MIT Kerberos KDC. This vulnerability has been assigned CVE-2021-3671.
To fix this vulnerability, update to Samba-4.15.0 or later using the instructions for Samba (sysv) or Samba (systemd).
In MIT Kerberos V5 1.18.2, a security vulnerability exists that can allow a remote attacker to crash the Key Distribution Center via a specially crafted packet. The official description is a NULL pointer dereference. It occurs when a packet is sent with a FAST inner body which lacks a server field. The only threat caused by this vulnerability is one to system availability, however the Samba 4.15.0 release notes suggested that users update to a version that is not affected by the bug. This vulnerability has been assigned CVE-2021-37750.
To fix this vulnerability, rebuild KRB5 using the sed in the BLFS Development Books by using the instructions for MIT Kerberos V5 (sysv) or MIT Kerberos V5 (systemd), or update to a newer version when available.
In vim-8.2.3508, three security vulnerabilities were fixed. These vulnerabilities could lead to crashes and arbitrary code execution when VIM processes crafted XML source code files. These vulnerabilities can also be exploited when processing UTF-8 encoded files due to hidden characters, or when running nv_replace(). All three of these issues have been rated as High by the NVD. More information can be found at oss-security posting. These vulnerabilities have been assigned CVE-2021-3770, CVE-2021-3778, and CVE-2021-3796.
To fix these vulnerabilities, update to vim-8.2.3508 or later using the instructions for vim (sysv) or vim (systemd).
In node.js-14.18.1, two HTTP Request Smuggling vulnerabilities were fixed. Initial details are at node.js/news. These vulnerabilities have been assigned CVE-2021-22959 and CVE-2021-22960.
To fix these vulnerabilities, update to Node.js-14.18.1 or later using the instructions for node.js (sysv) or node.js (systemd).
New vulnerabilities were found in apache 2.4.49, and it was then discovered that the fix in 2.4.50 was incomplete, resulting in a further CVE, see apache. This CVE is known to be exploited in the wild and is trivial to exploit, and allows for remote code execution with a simple HTTP request via cURL. This gives two vulnerabilities identified as critical although not in the default configuration (see the link above), and one which could be used to DoS the server with a specially crafted request: CVE-2021-42013, CVE-2021-41773, CVE-2021-41524.
To fix this upgrade to Apache-2.4.51 or later: Apache (sysv) or Apache (systemd).
In firefox 78.15.0 and 91.2.0, the usual 'Memory Safety bugs' with a High severity have been fixed as well as some other CVEs to which mozilla give a lower severity, but for one of these NVD has now rated it as critical. These are listed in mfsa-2021-44 and mfsa-2021-45. One of these is for the rust crosbeam-deque package, and rated as moderate severity by mozilla, but now rated as Critical by NVD: CVE-2021-32810. The rest are not yet public, except in the mozilla advisories : CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501.
To fix these update to firefox-91.2.0esr or later : Firefox (sysv) or Firefox (systemd). (Firefox-78 is now End of Life.)
In fetchmail before version 6.4.22, on IMAP connections without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, if the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. It is recommended to use '--ssl' or the ssl user option in an rcfile. Those were added to BLFS-11.0 in a note just before the release, the BLFS editors believe that using those removes the problem and in that case no update is necessary. The vulnerability has been assigned CVE-2021-39272.
In other cases, update to Fetchmail-6.2.22 or later using the instructions for Fetchmail (sysv), or Fetchmail (systemd).
In WebKitGTK+-2.34.0, a critical 0day security vulnerability was fixed that allows for attackers to silently execute arbitrary code via maliciously crafted web content. In some cases, this may include advertisements embedded on normal web pages. There have been several reports over the past couple of days of this vulnerability being exploited in the wild to silently install malware on various Apple devices, and WebKitGTK+ is impacted because it uses Apple's WebKit. This vulnerability was fixed with improved memory management, and updating to the latest WebKit should be done without any delay due to it being actively exploited through advertisements on many web pages and through other means, such as malicious JPEG and PNG images. Exploitation is possible through the Epiphany web browser and through malicious emails in Evolution or Balsa. The vulnerability has been named "FORCEDENTRY". This vulnerability has been assigned CVE-2021-30858, and additional information is available at United States Cybersecurity and Infrastructure Security Agency Advisory and Apple Security Advisory.
On October 26th, 2021, the LFS project became aware of additional vulnerabilities that were fixed in this version. These primarily include memory corruption vulnerabilities that lead to code execution. These vulnerabilities have been assigned. CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, and CVE-2021-30851.
To fix this security vulnerability, update to WebKitGTK+-2.34.1 or later using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In libexif before 0.6.23, four total security vulnerabilities existed that could allow for denial of service and arbitrary code execution. Two of these security vulnerabilities were fixed in a patch for libexif in BLFS 10.1. The two new security vulnerabilities have not been assigned CVEs as they were discovered by automated testing. The two previous vulnerabilities have been assigned CVE-2020-0198 and CVE-2020-0452.
To fix these new vulnerabilities, update to libexif-0.6.23 or later using the instructions for libexif (sysv) or libexif (systemd).
In cURL before 7.79.0, three security vulnerabilities exist that could allow for a denial of service, security protocol downgrades (leading to disclosure of encrypted information), and malicious data injection. The denial of service vulnerability occurs when sending data to a MQTT server over the MQTT protocol, and that protocol is built into cURL by default. The protocol downgrade vulnerability affects POP3, FTP, and IMAP connections and occurs when a malicious server (or man-in-the-middle attacker) sends a properly crafted and legitimate response. The flaw makes cURL silently continue it's operations without encryption, contrary to the instructions passed to it as well as general expectations. The data injection vulnerability happens when using the STARTTLS protocol with IMAP, POP3, SMTP, or FTP. Multiple responses can be received prior to using STARTTLS to upgrade the connection to TLS, and cURL would process these out of cache and trust them instead of processing (and verifying) them after the TLS handshake was performed. This allows man-in-the-middle attackers to inject fake responses and trick cURL into sending malicious (or fake) data back to the user. These vulnerabilities have been assigned CVE-2021-22945, CVE-2021-22946, and CVE-2021-22947.
To fix these vulnerabilities, update to cURL-7.79.0 or later using the instructions for cURL (sysv) or cURL (systemd).
In Python3 before 3.9.7, three security vulnerabilities exist that could result in crashes, performance impacts, and command injection when using Python's smtplib module. The performance impact can be triggered with malicious .pyc files compiled from wheels. The crash could result when creating Temporary Directories via tempfile.mktemp(), and the command injection was fixed by sanitizing \r and \n commands in SMTP responses. More information for these security vulnerabilities can be found at bpo-42278, bpo-41180, and bpo-43124.
To fix these vulnerabilities, update to Python-3.9.7 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
Several vulnerabilities in the Apache web server have been found, one of which is rated high: CVE-2021-40438. A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Additional vulnerabilities include content spoofing, cache poisoning, denial-of-service, and buffer overflows. These vulnerabilities have been assigned CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, and CVE-2021-39275.
To fix this upgrade to Apache-2.4.51 or later: Apache (sysv) or Apache (systemd).
A vulnerability in the ghostscript library libgs.so which allows arbitrary code execution, for example by invoking the convert program from ImageMagick on a user-supplied image file, was announced in August with a public PoC provided. This was initially reported as applying to version 9.50. It has now been reported upstream and determined to apply to all current versions from 9.50 onwards. Upstream have applied a fix and are now preparing for a new release (expected later this month). The public details can now be seen at bug 704342, CVE-2021-3781 has been assigned to this vulnerability CVE-2021-3781.
To fix this use ghostscript-9.54 with the ghostscript-9.54.0-upstream_fix-2.patch from the released book, or upgrade to ghostscript-9.55.0 using the instructions for Ghostscript (sysv) or Ghostscript (systemd).
In thunderbird 91.1.0, a Memory Safety bug with a High severity has been fixed. See mfsa-2021-41. This vulnerability has been assigned CVE-2021-38495.
To fix this, update to thunderbird-91.1.0 or later: Thunderbird (sysv) or Thunderbird (systemd).
In sane-backends-1.0.32, several security vulnerabilities were fixed with Epson scanners, and also in the magicolor backend and the TCP (Network) scanning backend. These can result in a malicious scanner residing on the same network as the victim causing a denial of service (application crash). With the Epson scanner backend, it's also possible for a malicious Epson scanner to read important information from applications that use SANE (such as the ASLR offsets of the program), or to execute arbitrary code whenever a program, such as GIMP, queries the scanner for basic information. If you have an Epson scanner on your network or connected directly to your computer, upgrading SANE is suggested. These vulnerabilities have been assigned CVE-2020-12867, CVE-2020-12862, CVE-2020-12863, CVE-2020-12865, CVE-2020-12866, CVE-2020-12861, and CVE-2020-12864.
To fix these vulnerabilities, update to sane-backends-1.0.32 or later using the instructions for SANE (sysv), or SANE (systemd).
In firefox 78.14.0 and 91.1.0, the usual 'Memory Safety bugs' with a High severity have been fixed. However, the advisory for 91.1.0 mfsa-2021-40 appears to have a typo (it says CVE-2021-38495), the corresponding advisories for 78.14.0 mfsa-2021-39 and for 92.0 (which has an additional CVE fix) mfsa-2021-38 are clear that the item is CVE-2021-38493. The details for CVE-2021-38493 can be found here: CVE-2021-38493.
To fix these update to firefox-91.1.0esr or later (firefox-78 is now End of Life). Firefox (sysv) or Firefox (systemd).
In node.js-14.17.6, five security vulnerabilities were fixed that could lead to arbitrary file creation/overwrite (due to insufficient symlink protection) and arbitrary code execution. When using the Arborist module, extracting the package into a node_modules folder that contains a symbolic link will result in files being written to any location on the filesystem. The node-tar module was also affected by a symbolic link attack that could allow symlinks in a tarball to escape into the filesystem and overwrite (or create) files in attacker-controlled locations. Both node-tar and Arborist are included with Node.js. These vulnerabilities have been assigned CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135.
To fix these vulnerabilities, update to Node.js-14.17.6 or later using the instructions for node.js (sysv) or node.js (systemd).
On reviewing the vulnerabilities fixed in glibc-2.35 it became apparent that these, and one earlier vulnerability the editors had not been aware of, applied to glibc-2.33 as used in LFS-10.1. Details are at CVE-2021-33574, CVE-2021-38604, (originally fixed in LFS by a sed which is now insufficent with the other fixes), CVE-2022-3998 (not yet public), CVE-2022-3999 (not yet public), CVE-2022-23218 and CVE-2022-23219.
If you are still using an LFS glibc-2.33 system, fix these by following the instructions in glibc-2.33-security_fixes-1.patch.
ntfs-3g-2021.8.22 includes several security fixes that have to do with buffer overflows when reading NTFS metadata. These vulnerabilities allow attackers using a maliciously crafted NTFS image (or external storage, such as a USB External Hard Drive) to potentially execute arbitrary code in the context of the kernel. This can be exploited via plugging an affected drive into a USB port, and can be automatically exploited when filesystems are automounted in desktop environments. This can also be manually exploited by mounting the filesystem normally. These vulnerabilities exist due to insufficient validation of NTFS metadata. The developers of ntfs-3g suggest updating as soon as possible. These vulnerabilities have been assigned CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289, CVE-2021-35266, CVE-2021-33287, CVE-2021-33267, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, and CVE-2021-39263 (21 total). Additonal details can be found at NTFS3G-SA-2021-001.
To fix these vulnerabilities, update to ntfs-3g-2021.8.22 or later using the instructions for ntfs-3g (sysv) or ntfs-3g (systemd).
The fixes from firefox-78.13.0 are understood to be included in seamonkey-2.53.9. For details see CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988, CVE-2021-29989.
To fix these, update to Seamonkey-2.53.9 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
Many more CVEs (from Chromium) in QtWebEngine, most rated as High, have been fixed in the 5.15.6 version: CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30599, CVE-2021-30598, CVE-2021-30588, CVE-2021-30587, CVE-2021-30585 (the backport to fix this mentions that it applies to linux, not just windows), CVE-2021-30573, CVE-2021-30569, CVE-2021-30568, CVE-2021-30563, CVE-2021-30560, CVE-2021-30559, CVE-2021-30556, CVE-2021-30554, CVE-2021-30553, CVE-2021-30551, CVE-2021-30548, CVE-2021-30547, CVE-2021-30544, CVE-2021-30541, CVE-2021-30536, CVE-2021-30535, CVE-2021-30534, CVE-2021-30533, CVE-2021-30530, CVE-2021-30523, CVE-2021-30522. To fix these, update to the BLFS 5.15.6 tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-5.15.6-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In apr-1.7.0, a security vulnerability exists due to a regression in the Apache Subversion source code repository for APR. An out of bounds array read in the apr_time_exp*() functions was fixed in apr-1.6.3 back in 2017, but the fix was not carried over to the 1.7.x branch, resulting in this vulnerability from 2017 not being fixed in apr-1.7.0. This vulnerability is easy to exploit by setting the month to something larger than 12 in an input to the apr_time_exp() functions. This vulnerability was originally known as CVE-2017-12613, but this case has a new identifier. APR was fixed with a sed. This vulnerability has been assigned CVE-2021-35940.
To fix this, apply the sed in the APR page and rebuild APR using the instructions for Apr (sysv), or Apr (systemd).
libgcrypt-1.9.4 has fixed a security vulnerability in the Elgamal encryption implementation that allows for denial of service and decryption of data via a side-channel attack. The vulnerability was originally introduced in 2000. A paper has been written on this vulnerability, and the developers recommend updating to libgcrypt-1.9.4 as soon as possible, as any version after the year 1999 is affected by this vulnerability. This vulnerability has been assigned CVE-2021-33560.
To fix this, update to libgcrypt-1.9.4 or later using the instructions for libgcrypt (sysv), or libgcrypt (systemd).
Three vulnerabilities about symlink handling in libarchive-3.5.1 and earlier releases have been discovered. These are exploitable with malicious archives containing symlinks, and can be exploited to overwrite file contents, flags, and ACL entries. No CVE numbers are assigned for those issues yet. Details at the upstream bug report, another upstream bug report, and the commit message.
To fix this, update to libarchive-3.5.2 or later using the instructions for libarchive (sysv) or libarchive (systemd).
Two vulnerabilities in OpenSSL-1.1.1k and earlier releases have been discovered. These are exploitable with malicious inputs and can be used to crash programs linked to OpenSSL. CVE-2021-3711 and CVE-2021-3712 have been assigned, details at CVE-2021-3711 and CVE-2021-3712.
To fix this, update to OpenSSL-1.1.1l or later using the instructions for OpenSSL (sysv) or OpenSSL (systemd).
A vulnerability in the released version of glibc-2.34 has been discovered. This is remotely exploitable and can be used to crash programs linked to glibc. CVE-2021-38604 has been assigned, details at tuxcare and CVE-2021-38604.
In the development book this unfixed vulnerability existed between 2021-08-02 and 2021-08-20, it was also in LFS-11.0-rc1. It has been fixed with a sed in the chapter 8 glibc build.
There is a test file at https://www.linuxfromscratch.org/~xry111/glibc-28213.c : compile that with 'gcc glibc-28213.c -o glibc-28213 -lrt' and run it. If that segfaults, your system is vulnerable.
Some people will be happy to discard the vulnerable system and start over, but the system can be fixed. It is necessary to rebuild glibc, but because the API and ABI have not changed, only the following three files need to be updated: libc.a, libc.so.6, and libc.so.6.dbg (if you did strip the debug symbols).
If you update these files, you should reboot as soon as possible afterwards. The system will not shutdown cleanly. After rebooting, recompile and rerun the test program to confirm it now ends normally.
If you are going to fix the existing system, make a usable backup before you start (and check it can be applied in case things go wrong).
One approach is to make a fresh LFS build to the end of chapter 8 using the modified instructions, then copy those 3 files to the running system.
A more adventurous approach is to rebuild (only) glibc in the running system, using the modified instructions. But instead of installing it make a DESTDIR install followed by stripping and installing only those libraries (watch for any error messages)
[code]
make DESTDIR=/tmp/GLIBC install
cd /tmp/GLIBC/usr/lib
for LIB in libc.so.6 ; do
objcopy --only-keep-debug $LIB $LIB.dbg
cp $LIB /tmp/$LIB
strip --strip-unneeded /tmp/$LIB
objcopy --add-gnu-debuglink=$LIB.dbg /tmp/$LIB
install -vm755 /tmp/$LIB /usr/lib
rm /tmp/$LIB
install -vm755 $LIB.dbg /usr/lib
install -vm644 libc.a /usr/lib
[/code]
In BIND-9.16.20, a security vulnerability was fixed that could allow for a trivial-to-exploit remotely-exploitable crash of the BIND DNS server to occur. This is due to an assertion check which is too strict, and gets triggered when responses in BIND 9.16.19 require UDP fragmentation if RRL is in use. Note that this only affects BIND server, not the utilities. This vulnerability has been assigned CVE-2021-25218.
To fix this, update to BIND-9.16.20 or later using the instructions for BIND (sysv) or BIND (systemd).
Midnight Commander (MC) version 4.8.27 fixed a security vulnerability where the SFTP filesystem layer does not verify the SSH Server Fingerprint when a SFTP connection is established. The fingerprint is calculated, but the verification step is missing. This allows for Man-In-The-Middle attacks and attacks where the hostname has changed, but the IP address has stayed the same, to occur. This could permit unauthorized access and modification of files. This vulnerability has been assigned CVE-2021-36370, but no details are available yet other than the ticket in the Midnight Commander Trac, which can be found at Ticket #4259.
To fix this, update to MC-4.8.27 or later using the instructions for MC (sysv) or MC (systemd).
In firefox 91.0.1 one vulnerability rated as High was fixed, described as a header splitting attack against servers using HTTP/3. This has been allocated CVE-2021-29991 but details are not yet public. For a summary see mfsa-2021-37. Because HTTP/3 is not enabled by default in firefox before version 88, legacy firefox-78 is not affected.
To fix this, update to firefox-91.0.1esr or later : Firefox (sysv) or Firefox (systemd).
OpenJDK-16.0.2 brought fixes for six security vulnerabilities. Three of these vulnerabilities allows for an unauthenticated attacker with network access via multiple protocols to take over the Java SE runtime environment. Two more of these vulnerabilities give the ability for an unauthenticated remote attacker to create, modify, or delete information from inside the Java SE runtime environment, as well as on the filesystem if they have access to the Java Console. The final vulnerability is a denial of service vulnerability. The OpenJDK developers suggest updating to OpenJDK-16.0.2 or 15.0.5 when it becomes available. These vulnerabilities have been assigned CVE-2021-2388, CVE-2021-2369, CVE-2021-2432, CVE-2021-2341, CVE-2021-2161, and CVE-2021-2163.
To fix these vulnerabilities, update to OpenJDK-16.0.2 or later using the instructions for OpenJDK (sysv), or OpenJDK (systemd).
You may also use the Java binary using the instructions in Java (sysv), or Java (systemd).
Thunderbird-78.13.0 and 91.0 fixed several security vulnerabilities. One of these allows for an attacker to remotely inject files, folders, and IMAP commands when a STARTTLS connection is in use. Several of these vulnerabilities have to do with memory corruption, leading to a remotely exploitable crash and/or arbitrary code exeuction. These vulnerabilities have been assigned CVE-2021-29969, CVE-2021-29970, CVE-2021-30547, CVE-2021-29976, CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988 and CVE-2021-29989.
To fix these vulnerabilities, update to Thunderbird-91.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).
PostgreSQL-13.4 fixed a security vulnerability that could allow for a purpose-crafted query to read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. A workaround is to set max_worker_processes=0 inside of your PostgreSQL configuration, however undiscovered variants of the attack may run independently of that setting. It is suggested that you update your PostgreSQL instances to 13.4 as soon as possible. More information can be found at PostgreSQL 13.4 Release Announcement. This vulnerability has been assigned CVE-2021-3677.
To fix this, update to PostgreSQL-13.4 or higher using the instructions for PostgreSQL (sysv), or PostgreSQL (systemd).
Node.js-14.17.5 fixed three vulnerabilities, one rated as critical. These have been assigned CVE-2021-22930 (full details not yet public), CVE-2021-22931 and CVE-2021-22939. See 'Node v14.17.5' Node JS News which has links to nvd.nist.gov and cve.mitre.org.
To fix these, update to Node.js-14.17.5 or later using the instructions for Node.js (sysv), or Node.js (systemd).
In c-ares-1.17.2, a security vulnerability was fixed that could allow for Domain Hijacking due to a lack of proper input validation of host names returned by Domain Name Servers within the c-ares library. A proof of concept vulnerability was included with the security announcement. This vulnerability exists in all known versions of c-ares above 1.0.0. The developers suggest upgrading to c-ares-1.17.2. immediately. More details can be found at c-ares Security Advisory. This vulnerability has been assigned CVE-2021-3672.
To fix this, update to c-ares-1.17.2 or later using the instructions for c-ares (sysv), or c-ares (systemd).
In firefox 78.13.0 and 91.0, six vulnerabilities rated as High were fixed. For details see: CVE-2021-29980, CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988, CVE-2021-29989.
To fix these update to firefox-91.0esr or later : Firefox (sysv) or Firefox (systemd) or if you wish to stay on the 78esr series in the short term, update to legacy firefox-78.13.0esr or later: Firefox-legacy (sysv) or Firefox-legacy (systemd). (Firefox-78 is now End of Life).
In the javascript JIT code of firefox-78.13.0 there is a fix for incorrect instruction reordering during JIT optimization, CVE-2021-29984, but details are not yet public, see the advisory for firefox-78.3.0, mfsa-2021-34 In BLFS, JS78 is used by GJS and Polkit, but neither use JIT at the moment.
To fix this, update to JS-78.13.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
In MariaDB-10.6.4, two medium-severity security vulnerabilities were patched. Both of these vulnerabilities are difficult to exploit, and can result in a Denial Of Service. Note that successful exploitation requires MariaDB to be listening for requests over TCP/IP ports, and not via local applications. Successful exploitation can result in the ability to cause a hang or frequently repeatable crash of the MariaDB process. These vulnerabilities have been assigned CVE-2021-2389 and CVE-2021-2372.
To fix these vulnerabilities, update to MariaDB-10.6.4 or later using the instructions for MariaDB (sysv), or MariaDB (systemd).
MIT Kerberos V5 before 1.19.2 (or 1.18.4) is vulnerable to a denial of service attack due to a NULL pointer dereference. This then causes the krb5 daemon to crash. This vulnerability is remotely exploitable with no user interaction, and this vulnerability is caused by a return value noy being properly managed in a rare situation. An unauthenticated attacker can exploit this by sending a request containing the PA-ENCRYPTED-CHALLENGE element without using FAST. If you use Kerberos as anything other than a build dependency, you should update as soon as possible. This vulnerability has been assigned CVE-2021-36222.
To fix this, update to MIT Kerberos V5 1.19.2 or later using the instructions for MIT Kerberos V5 (sysv), or MIT Kerberos V5 (systemd).
Fetchmail before version 6.4.20 was missing initialization of a variable, leading in some circumstances to reading from bad memory locations. This can cause it to log random information (information disclosure), or to segfault, stalling inbound mail. an attacker might be able to exploit the memory corruption to change process behaviour. This has been assigned CVE-2021-36386. Further details are at fetchmail-SA-2021-01.
To fix this, update to Fetchmail-6.2.20 or later using the instructions for Fetchmail (sysv), or Fetchmail (systemd).
Node.js-14.17.4 fixed a vulnerability to a use after free attack, where an attacker might be able to exploit the memory corruption to change process behaviour. This has been assigned CVE-2021-22931.
To fix this, update to Node.js-14.17.4 or later using the instructions for Node.js (sysv), or Node.js (systemd).
WebKitGTK+-2.32.3 contained fixes for 11 security vulnerabilities. These vulnerabilities include six arbitrary code execution vulnerabilities, two cross-site-scripting vulnerabilities, two information leak vulnerabilities, and a port scanning vulnerability. The two information leak vulnerabilities are caused whenever a ImageLoader object or GraphicsContext object load various image, or graphics, objects. Specially crafted web pages can thus lead to leakage of stack contents. Several of the arbitrary code execution vulnerabilties are known by Apple to be actively exploited, thus prompting a Critical rating by the BLFS team. The port scanning vulnerability allows malicious websites to access restricted ports on local machines on your network. Updating to WebKitGTK+-2.32.3 immediately is suggested if you have Epiphany, Evolution, or some other GNOME components installed. These vulnerabilities have been assigned CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30795, CVE-2021-30797, and CVE-2021-30799.
To fix these vulnerabilities, update to WebKitGTK+-2.32.3 or later using the instructions for WebKitGTK+ (sysv), or WebKitGTK+ (systemd).
Fixes from firefox-78.12 were included in seamonkey-2.53.8.1. Two apply to Linux builds and are rated as High, a third in ANGLE was also fixed, but that is not used for linux builds. CVEs have been assigned (CVE-2021-29970, CVE-2021-29976) but details are not yet public. mfsa-2021-29.
To fix these, update to Seamonkey-2.53.8.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In systemd-220 and later, a security vulnerability exists that could allow a local attacker to crash systemd, which then causes a kernel panic. This vulnerability is due to a flaw in the FUSE filesystem implementation, and requires the kernel to be upgraded as well, to either Linux-5.10.52 or Linux-5.13.4. systemd constantly monitors /proc/self/mountinfo, and when a file path longer than 8MB is discovered and parsed, systemd will crash with a segmentation fault. The security patch that is available will use a different string duplication function to prevent this crash from occuring. This primarily affects systems with FUSE filesystems, such as SSHFS or NTFS. However, FUSE is also used by XFCE and GNOME because of GVFS. This vulnerability is possible to exploit when automounting USB drives. Filesystem corruption is also possible due to the memory corruption that occurs when systemd crashes. A proof-of-concept exploit is also available in the wild. Due to the merged-/usr changes, upgrading to systemd-249 (with the patch) for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that run systemd-220 or higher. This vulnerability has been assigned CVE-2021-33910.
If you are running LFS git, you can update to systemd-249 with the patch using the instructions in the BLFS book for systemd (systemd). You must also upgrade your kernel to Linux-5.13.4 or later.
If you are running LFS 10.1, you can apply the patch from systemd-247-security_fixes-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52 or later.
If you are running LFS 10.0, you can apply the patch from systemd-246-security_fixes-1.patch to your build tree and rebuild systemd. You must then upgrade your kernel to Linux-5.10.52 or later.
In Binutils-2.37, four security vulnerabilties were fixed. One of these vulnerabilities allows for arbitrary filesystem access due to a race condition in ar, objcopy, strip and ranlib. When these utilities are being run by a privileged user, an unprivileged user can trick them into getting ownership of arbitrary files on the filesystem through a symbolic link. An additional security vulnerability exists in GNU libiberty, which can result in a crash due to an infinite loop. Two more vulnerabilities allow for arbitrary code execution and memory corruption due to a stack based buffer overflow, or an out-of-bounds write. These vulnerabilities apply to objdump and libiberty. These vulnerabilities cannot be exploited remotely. These vulnerabilities have been assigned CVE-2021-20197, CVE-2021-3648, CVE-2021-3549, and CVE-2021-3530.
To fix these vulnerabilities, update to Binutils-2.37 or later using the instructions from the LFS book for Binutils (sysv), or Binutils (systemd).
In cURL-7.78.0, four security vulnerabilities were fixed. The first vulnerability will allow malicious content to be stored on disk instead of discarded when using the metalink feature, because the information is not checked against the XML file that contains the hash for the file correctly. Another security vulnerability in the metalink feature will send login credentials in plaintext and pass them on to any server that cURL connects to for a metalink download. Another security vulnerability exists in the way that cURL keeps previous connections stored for use again. Due to a flaw in the logic that handles path name checks, the comparison did not take security certificates into account, and also compared the involved paths case insensitively. This will result in a certificate store bypass as well as the potential of connecting to a compromised server. Another TELNET stack content disclosure vulnerability was fixed, caused by the fix for CVE-2021-22898 in cURL-7.78.0. This could result in keystrokes, including passwords, being leaked to remote attackers during a TELNET session. These vulnerabilities have been assigned CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, and CVE-2021-22925.
To fix these vulnerabilities, update to cURL-7.78.0 or later using the instructions for cURL (sysv), or cURL (systemd).
In Linux 5.13.3 and earlier, a vulnerability given the name 'Sequoia' can be used to gain root access via an Out of Bounds write. Details at oss-security with links to a proof of concept program to crash the system, and the promise that details of the exploit will follow. This has been assigned CVE-2021-33909.
To fix this, update to Linux 5.13.4 or later, or Linux-5.10.52 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In Wireshark before 3.4.7, a security vulnerability was present that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet, or via a crafted capture file. This issue will manifest itself as a segmentation fault. This vulnerability has been assigned CVE-2021-22235.
To fix this, update to Wireshark-3.4.7 or higher using the instructions for Wireshark (sysv), or Wireshark (systemd).
In apache-ant-1.10.11, two security vulnerabilities were fixed that could lead to out-of-resource conditions when extracting ZIP or TAR files during a build process. The problem can also be triggered with JAR files. The out-of-resource condition consists of Out-Of-Memory errors. These are similar to issues in Apache Commons. These two vulnerabilities have been assigned CVE-2021-35517 and CVE-2021-36090.
To fix these, update to apache-ant-1.10.11 or later using the instructions for apache-ant (sysv), or apache-ant (systemd).
In firefox 78.12.0 two vulnerabilities rated as High were fixed. A third vulnerabilitiy in ANGLE was also fixed, but that is not used for linux builds. mfsa-2021-29. CVEs have been assigned (CVE-2021-29970, CVE-2021-29976) but details are not yet public.
To fix these, update to firefox-78.12.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Ruby-3.0.2, three security vulnerabilities were fixed. One of these vulnerabilities allows for the Net::FTP module to connect to another IP address/port and return information about services that are otherwise private and not disclosed (basically allowing the attacker to run a port scan). This is due to invalid verification of FTP PASV responses. Another security vulnerability exists in the Net::IMAP module, where Net::IMAP does not raise an exception when a STARTTLS connection fails with an unknown response. This would allow man-in-the-middle attacks to occur, as well as bypasses of the TLS protections. The third vulnerability is rated High, and is a command injection vulnerability in the RDoc command. When using the RDoc command, if a file name starts with a pipe ("|"), and ends with a tag, the command following the pipe character will be executed. A malicious Ruby project could thus exploit it to run arbitrary commands against a user who attempts to use the RDoc command. It is recommended to update Ruby as soon as possible. These vulnerabilities have been assigned CVE-2021-31810, CVE-2021-32066, and CVE-2021-31799.
To fix these vulnerabilities, update to Ruby-3.0.2 or later using the instructions for Ruby (sysv), or Ruby (systemd).
In libuv before 1.41.1, a security vulnerability exists that allows for information disclosure when using the punycode decoder in libuv's IDNA implementation. Several downstream applications use this library and may be affected. This is similar to the vulnerability that was fixed in Node.JS-14.17.2. The vulnerability can be triggered via both uv_getaddrinfo() and uv__idna_toascii(). This vulnerability has been assigned CVE-2021-22918.
To fix this, update to libuv-1.41.1 or later using the instructions for libuv (sysv), or libuv (systemd).
In systemd before 249, a security vulnerability exists that could allow for a remote attacker to reconfigure network settings on systems that use systemd-networkd without any user interaction. This happens due to an issue with the handling of DHCPRENEW packets. With a DHCPRENEW and a DHCPACK packet that is specially crafted, a remote attacker can reconfigure your network settings. Due to the merged-/usr changes, upgrading to systemd-249 for non-SVN users is not advised. As a result, patches have been made that you can apply to your build tree and rebuild systemd with. These patches have been made available for LFS 10.0 (246) and LFS 10.1 (247). This vulnerability affects all systems that use systemd-networkd, and that run systemd-245 or higher (thus, LFS 9.1 is not affected). This vulnerability has been assigned CVE-2020-13529.
If you are running LFS git, you can update to systemd-249 or later using the instructions in the BLFS book for systemd (systemd).
If you are running LFS 10.1, you can apply the patch from systemd-247-security_fix-1.patch to your build tree after applying the other systemd-247 patches and rebuild systemd.
If you are running LFS 10.0, you can apply the patch from systemd-246-security_fix-1.patch to your build tree and rebuild systemd.
In Python3 before 3.9.6, a security vulnerability exists that could allow a remote attacker to cause a resource exhaustion via the mod:http.client module. This is due to a flaw where Python will infinitely read potential HTTP headers after a "HTTP 100 Continue" message from the server. This vulnerability has not been assigned a CVE, but more details can be found at BPO-44022.
To fix this, update to Python-3.9.6 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In Node.js-14.17.2, a security vulnerability was fixed that could lead to information disclosures or crashes on applications that use Node's dns module. The vulnerability exists in the lookup() function, and occurs due to a similar vulnerability in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This vulnerability has been assigned CVE-2021-22918.
To fix this, update to Node.js-14.17.2 or later using the instructions for Node.js (sysv), or Node.js (systemd).
In PHP-8.0.8, two security vulnerabilities were fixed. One of them could lead to a buffer overflow and thus remote code execution when using a Firebird database, and the other could allow for remote attackers to redirect servers to arbitrary URLs via a SSRF bypass in FILTER_VALIDATE_URL. These options are rather uncommon, which is why these vulnerabilities are rated as Moderate. These vulnerabilities have been assigned CVE-2021-21705 and CVE-2021-21704.
To fix these, update to PHP-8.0.8 or later using the instructions for PHP (sysv), or PHP (systemd).
In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network information in rare circumstances. This only applies if using a plugin shipped within NetworkManager with some code borrowed from systemd-networkd to get an IP address via DHCP, which is enabled with "dhcp=systemd" in the configuration files. This option is not the default, nor mentioned by NetworkManager documentation or the BLFS book. This vulnerability has been assigned CVE-2020-13529.
If you'd like to use "dhcp=systemd" anyway, to fix this, update to NetworkManager-1.32.2 or later using the instructions for NetworkManager (sysv), or NetworkManager (systemd).
Fixes from firefox-78.8.0 to 78.8.11 were included in seamonkey-2.53.8. See BLFS #15227. Updating to seamonkey-2.53.8 is highly recommended due to impacts relating to remote code execution, memory safety problems, and command injection via FTP. The following CVEs have been fixed, most of them being High or Critical: CVE-2021-29955, CVE-2021-23981, CVE-2021-23982, CVE-2021-23984, CVE-2021-23987, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-23402, CVE-2021-29945, CVE-2021-29946, CVE-2021-29951, CVE-2021-29964, and CVE-2021-29967.
To fix these, update to Seamonkey-2.53.8 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
Two security vulnerabilities were patched in Dovecot-2.3.15. One of these vulnerabilities allows path traversal which can be used as an authentication bypass via OAuth2, forcing Dovecot to accept a key from an attacker-controlled location. This occurs when Dovecot uses JWT validation with the posix filesystem driver. The other vulnerability allows for command injection when using STARTTLS command injection. If more commands are pipelined as plaintext after a STARTTLS connection is initiated, the commands are run as part of the TLS session. These can be used to redirect mail, passwords, and other user variables to an attacker controlled address. These vulnerabilities have been assigned CVE-2021-29157 and CVE-2021-33515.
To fix these, update to dovecot-2.3.15 or later using the instructions for dovecot (sysv), or dovecot (systemd).
Several more CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-2 patch (fixes to 2021-06-02) : CVE-2021-30518, CVE-2021-30516, CVE-2021-30515, CVE-2021-30513, CVE-2021-30512, CVE-2021-30510, CVE-2021i-30508.
To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-2.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. This vulnerability has been assigned CVE-2021-3481 which is not yet public. For more information see RedHat CVE-2021-3481 or QTBUG-91507.
To fix this, apply the qt-everywhere-src-5.15.2-CVE-2021-3481-1.patch (or update to a later version) using the instructions at Qt5 (sysv), or Qt5 (systemd).
In Exiv2-0.27.4, nine security vulnerabilities were fixed. These security vulnerabilities are complex to exploit, but can be exploited remotely through a web browser. Three of these vulnerabilities are arbitrary code execution vulnerabilities, another is an information disclosure vulnerability, and the others are denial of service (crash) vulnerabilities. These vulnerabilities have been assigned CVE-2021-32617, CVE-2021-29623, CVE-2021-29473, CVE-2021-29470, CVE-2021-29464, CVE-2021-29463, CVE-2021-29458, CVE-2021-29457, and CVE-2021-3482.
To fix these, update to exiv2-0.27.4 or higher using the instructions for exiv2 (sysv), or exiv2 (systemd).
In Linux 5.12.10 and earlier, several security vulnerabilities existed in the Bluetooth, Xen (virtualization), and wireless networking stacks. The Bluetooth vulnerability can allow for denial of service by allowing a local user to cause a kernel panic by attaching a malicious HCI TTY Bluetooth device. The Xen vulnerability can allow for the network adapter on the host system to fail due to a driver crash in the kernel. This vulnerability can be exploited through a virtual machine running on the system. The wireless stack vulnerabilities impact all cards and could allow for decryption of encrypted packets sent over Wi-Fi Protected Access (WPA/WPA2/WPA3) and Wired Equivalent Privacy (WEP) packets due to a protocol issue that does not require all fragments in a frame to be signed by a single key. Another vulnerability in the ath11k wireless driver can allow for an attacker to inject and decrypt packets in a connection that uses WPA or WPA2 with the TKIP data-confidentiality protocol. Another vulnerability in the ath10k driver allows for a remote attacker to inject arbitrary packets since the plaintext QoS header in a packet is not required to be authenticated under thw WPA, WPA2, WPA3, or WEP standard. Another vulnerability in the wireless stack allows for arbitrary network packets to be injected and for the exfiltration of user data regardless of whether any encryption is in place, and fragments are not cleared from memory after reconnecting to a network. These vulnerabilities have been assigned CVE-2021-3564, CVE-2021-28691, CVE-2020-24587, CVE-2020-26141, CVE-2020-24588, CVE-2020-26145, and CVE-2020-24586.
To fix these, update to Linux 5.12.10 or later (5,12 is no-longer maintained), or Linux 5.10.44 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
In Apache PDFBox-2.0.24, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-31812 and CVE-2021-31811.
To fix these, update the supplemental JAR files in fop to 2.0.24 using the instructions in fop (sysv) or fop (systemd).
Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream (currently undergoing analysis at NVD): CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641 (updated 2021-06-15: first link was to an unrelated CVE, corrected).
To fix these, update to at least HTTPD-2.2.48 using the instructions for Apache (sysv) or Apache (systemd).
Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High Intel-SA-00442 / CVE-2021-24489 and two potential information disclosures by local access rated as Medium Intel-SA-00464 / CVE-2020-24511 and Intel-SA-00465 / CVE-2020-24513.. The CVE details are not yet public.
To fix these, update to at least microcode-20210608 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In Polkit-0.119, a security vulnerability was fixed that can allow for unprivileged users to gain root access on the system by calling a process that uses "polkit_system_bus_name_creds_sync" too many times, and also by not checking for the error value correctly. This vulnerability can be used by an unprivileged local attacker to bypass authorization and escalate privileges up to the root user. This affects polkit back to 0.113. This vulnerability has been assigned CVE-2021-3560.
To fix this, update to Polkit-0.119 or later using the instructions for Polkit (sysv) or Polkit (systemd).
In Wireshark-3.4.6, a security vulnerability was fixed that could allow for a malformed DVB-S2-BB packet to cause a denial of service due to excessive CPU resource consumption. This is due to an infinite loop. There is no CVE for this vulnerability, but the information can be found under "Security Advisories" on the Wireshark website. More details can be found at wpna-sec-2021-05.
To fix this, update to Wireshark-3.4.6 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In Thunderbird-78.11.0, a security vulnerbaility was fixed that was rated as High. This security vulnerability pertains to several memory safety issues that were addressed by the Mozilla developers. More details can be found at msfa2021-26. This security vulnerability has been assigned CVE-2021-29967.
To fix these, update to Thunderbird-78.11.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. See mfsa2021-24. CVEs have been assigned (CVE-2021-299644, CVE-2021-29967) but details are not yet public.
To fix these, update to firefox-78.11.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Linux 5.12.7 and all earlier kernels back to 2.6.12 a "confused deputy" weakness exists, which makes it possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. Further details in the links at Linux-Confused-Deputy-2.6.12.
To fix this, update to Linux 5.12.8 or later, (or Linux 5.10.41 or later if you prefer to stick with 5.10.y, or for old systems Linux 5.4.123 or later) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that since August linux-5.12 kernels are no-longer maintained.
ISC DHCP (dhclient and dhcpd) before 4.4.2-P1 is affected by a vulnerability that allows for DHCP leases to be improperly deleted, or for the DHCP client and server services to be terminated improperly. This is due to a buffer overrun, and may be exploited remotely to allow for a denial of service (network outage) or for improper DHCP leases to be issued. No user interaction is required. If you use dhclient or dhcpd, it is highly recommended that you update as soon as possible. This vulnerability has been assigned CVE-2021-25217.
To fix this, update to DHCP-4.4.2-P1 or later using the instructions for DHCP (sysv) or DHCP (systemd).
Expat before 2.4.0 is vulnerable to Denial of Service ('billion laughs') attacks. The vulnerability was initially for versions up to 2.1, but protection hs been strengthened in the 2.4.0 release: see blog.hartwork.org, and CVE-2013-03405.
To fix this, update to Expat-2.4.1 or later, using the instructions in Expat (sysv) or Expat (systemd). Note: If you have installed docbook-utils from BLFS you will need to add "--without-docbook" to work around an error in configure, since our installation of docbook-utils uses SGML instead of XML.
In cURL-7.77.0, three security vulnerabilities were fixed. The first one only applies to Windows systems and is therefore irrelevant to LFS. The second vulnerability allows the stack to be disclosed to a remote attacker while a TELNET session is in progress. The third vulnerability, which is rated as high, allows for remote code execution on HTTPS sessions. The TELNET vulnerability is due to an issue with an uninitialized variable, and the remote code execution vulnerability is due to a use-after-free. This vulnerability has been called the "TLS session caching disaster", and instructions for achieving remote code execution have been released to the public. Therefore, it is suggested that you update immediately. Note that this only applies to systems which use OpenSSL as their SSL backend, which is the default configuration in BLFS. These vulnerabilities have been assigned CVE-2021-22897, CVE-2021-22898, and CVE-2021-22901.
To fix these vulnerabilities, update to cURL-7.77.0 or later as soon as possible using the instructions at cURL (sysv), or cURL (systemd).
In libX11-1.7.1, a security vulnerability was fixed that allows through command injection through the libX11 API protocol. This vulnerability exists in the XLookupColor function, intended for server-side color lookup. The flaw consists of a client being allowed to send color names with a name longer than the maximum size allowed, and also the maximum packet size for normalized packets. This then allows for the X server authorization process to be disabled completely, as the end of the packet is then considered a protocol command. This vulnerability has existed since February of 1986. This vulnerability has been rated at a 9.3 CRITICAL on the CVSS scale, and has been assigned CVE-2021-31535, and more information can be found at libX11 security advisory.
To fix this vulnerability, update to libX11-1.7.1 or later using the instructions at Xorg Libraries (sysv), or Xorg Libraries (systemd).
In PostgreSQL-13.3, three security vulnerabilities were fixed that could allow for memory disclosure as well as a buffer overrun caused by an integer overflow in array subscripting calculations. The buffer overrun could allow for authenticated database users to write arbitrary bytes to a wide area of server memory. The memory disclosure vulnerabilities both allow for an attacker to read arbitrary bytes of server memory when executing UPDATE...RETURNING commands in partitioned-tables, and when executing INSERT...ON CONFLICT... DO UPDATE commands on a purpose crafted table. In the default PostgreSQL configuration, any authenticated database user can create the prerequisite objects and complete this attack at will. Users lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot exploit this attack. These vulnerabilities have been assigned CVE-2021-32028, CVE-2021-32029, and CVE-2021-32027.
To fix these vulnerabilities, update to PostgreSQL-13.3 or later using the instructions at PostgreSQL (sysv), or PostgreSQL (systemd).
A security vulnerability was fixed in rxvt-unicode-9.26 that may allow for remote code execution. An exploit has been discovered in the wild and was published to the oss-security mailing list. The vulnerability occurs due to the way that rxvt handles ANSI escape sequences, replying to queries with a newline-terminated message, and will allow applications to execute without user intervention. This was originally graded as critical (no CVE was available) but the details at CVE-2021-33477 now show it as high severity.
To fix this vulnerability, update to rxvt-unicode-9.26 or later using the instructions at rxvt-unicode (sysv), or rxvt-unicode (systemd).
In libxml2-2.9.12, a security vulnerability was fixed (in addition to all of the ones covered in libxml2-2.9.10-security_fixes-1.patch) that allows for a denial of service (system resource exhaustion) when processing a crafted XML file. This occurs through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. This vulnerability has been assigned CVE-2021-3541.
To fix this, update to libxml2-2.9.12 or later using the instructions at libxml2 (sysv), or libxml2 (systemd).
Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release : CVE-2021-3482, CVE-2021-29457, CVE-2021-29458, CVE-2021-29470, CVE-2021-29473.
To fix these, apply the exiv2-0.27.3-security_fixes-1.patch (or update to a later version) using the instructions at Exiv2 (sysv), or Exiv2 (systemd).
In Samba-4.14.4, a security vulnerability was fixed that allows for users to have unauthorized access to information, as well as the ability for users to modify/delete files from shares that they should not have access to. The underlying cause of this vulnerability is an out-of-bounds read that sometimes occurs when mapping Windows group identities (SIDs) into Unix group IDs (gids). The code that handles this could read data beyond the end of an array in the case that a negative cache entry had been added to the cache. This would then cause the conversion code to return those values into the process token that stores the group membership of a user. This vulnerability was originally spotted at Linkoping University, where a user was found deleting files from a network share that they were not supposed to have access to. If you are using the Samba file server to share files, it is suggested that you update immediately. Other impacts include potential server crashes, as well as impacts to data confidentiality and integrity. This vulnerability has been assigned CVE-2021-20254.
To fix this vulnerability, update to Samba-4.14.4 or later using the instructions for Samba (sysv) or Samba (systemd).
Two security vulnerabilities were corrected in mariadb-10.5.10. These vulnerabilities allowed for remotely exploitable crashes of the MariaDB database server. Both of these vulnerabilties are simple to exploit and can result in repeatable crashes over the network. These vulnerabilities have been assigned CVE-2021-2166 and CVE-2021-2154.
To fix these vulnerabilties, update to MariaDB-10.5.10 or later using the instructions for MariaDB (sysv) or MariaDB (systemd).
A security vulnerability was fixed in Wireshark that could allow for excessive memory and CPU consumption when using the MS-WSP packet dissector. This vulnerability could be exploited via a malformed packet, either by placing the malformed packet onto the wire while Wireshark is capturing packets, or by convincing someone to read a malformed packet trace file. This vulnerability could allow a remote attacker to run the system out of memory, and thus can cause a denial of service. This vulnerability has been assigned CVE-2021-22207.
To fix this vulnerability, update to Wireshark-3.4.5 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
A security vulnerability was discovered in the "cjpeg" utility included with libjpeg-turbo. This vulnerability is classified as a denial of service vulnerability, and is caused by a divide-by-zero error when processing some GIF images. The highest impact would be a crash of the 'cjpeg' application, thus this vulnerability has been rated as Low. This vulnerability has been assigned CVE-2021-20205.
To fix this vulnerability, update to libjpeg-turbo-2.1.0 or later using the instructions for libjpeg (sysv) or libjpeg (systemd).
Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. One of the critical CVEs was raised as 'before 1.53.0', but the fix has been backported to 1.52.0.
For the general case (where static libraries are used and a variety of crates might be built) the advice is to update both rust and all the packages which use it.
For BLFS with its limited number of crates which use rust, it can be shown (e.g. by removing the /opt/rustc symlink) that the built programs do not use the standard library at runtime), and therefore the vulnerabilities are assumed to have been at compile time. Nevertheless, the incorrect code has been available and it may be that the resulting programs can do incorrect things. The safest advice is to update rust and then rebuild (or update) all the packages which use it.
The relevant CVEs are: CVE-2021-227376, CVE-2021-28036, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878, CVE-2021-28879, CVE-2021-31162. To fix rust, update to rustc-1.52.0 (or a later version) using the instructions for Rust (sysv) or Rust (systemd).
Many CVEs (from Chromium) in QtWebEngine have been fixed in the upstream_fixes-1 patch (fixes to 2021-05-03) : CVE-2021-21233, CVE-2021-21231, CVE-2021-21230, CVE-2021-21227, CVE-2021-21225, CVE-2021-21224, CVE-2021-21223, CVE-2021-21222, CVE-2021-21221, CVE-2021-21220, CVE-2021-21219, CVE-2021-21218, CVE-2021-21217, CVE-2021-21214, CVE-2021-21213, CVE-2021-21209, CVE-2021-21207, CVE-2021-21206, CVE-2021-21204, CVE-2021-21203, CVE-2021-21202, CVE-2021-21201.
Of these, two were rated as critical and at least one other rated as high has public exploit code available.To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 plus the qtwebengine-20210401-upstream_fixes-1.patch (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
In ruby-3.0.1, a security vulnerability was fixed that could lead to improper generation of XML files, including malicious code. This has been classified as a "XML round-trip vulnerability". The ruby developers suggest upgrading the REXML gem if updating Ruby on your system is not feasible. This can be done by executing "gem upgrade rexml". The fixed gem has been bundled with ruby-3.0.1. This vulnerability has been assigned CVE-2021-28965.
To fix this vulnerability, update to ruby-3.0.1 or higher using the instructions for ruby (sysv) or ruby (systemd).
In Exim-4.94.2, twenty-one security vulnerabilities were patched. These vulnerabilities can allow for local privilege escalation, remote code execution, arbitrary code execution in the context of the Exim user, command injection, modification of mails, modification/deletion of files, and more. Ten of these vulnerabilities can be exploited remotely, while the other eleven can be exploited locally. If you have any systems running Exim, this is considered an urgent matter. There are multiple exploits available in the wild for these vulnerabilities. These vulnerabilities have been assigned CVE-2020-28007, CVE-2020-28008, CVE-2020-28014, CVE-2021-27216, CVE-2020-28011, CVE-2020-28010, CVE-2020-28013, CVE-2020-28016, CVE-2020-28016, CVE-2020-28015, CVE-2020-28012, CVE-2020-28009, CVE-2020-28017, CVE-2020-28020, CVE-2020-28023, CVE-2020-28021, CVE-2020-28022, CVE-2020-28026, CVE-2020-28019, CVE-2020-28024, CVE-2020-28018, and CVE-2020-28025. Additional information can be found at Qualys Security Blog - 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server.
To fix these vulnerabilities, update to Exim-4.94.2 or higher as soon as possible using the instructions for Exim (sysv) or Exim (systemd).
In BIND-9.16.15, three security vulnerabilities were fixed that could result in crashes and remote code execution on 32-bit platforms. One security vulnerability is rated as Medium, while the other two (one of which leads to remote code execution on 32-bit platforms, and crashes on 64-bit platforms) are rated as High. These vulnerabilities have been assigned CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216. Additional information can be found at BIND Release Announcement.
To fix these vulnerabilities, update to BIND-9.16.15 or higher using the instructions for BIND (sysv) or BIND (systemd).
In OpenSSH-8.6p1, a security vulnerability was fixed that was introduced in version 8.5p1 with the addition of the LogVerbose keywords. When this option was enabled with a set of patterns that activated logging in code that runs in the lower-privileged/sandboxed sshd process, the log messages were constructed in a way that printf(3) format strings could effectively be specified in the lower-privelged code. As a result, an attacker who had successfully exploited the lower-privileged process could use the logging feature to escape the sandbox and attack the higher-priveleged process. No CVE has been assigned at this time. More details can be found at Announce: OpenSSH 8.6 released.
To fix this, update to OpenSSH-8.6p1 or later using the instructions for OpenSSH (sysv) or OpenSSH (systemd).
In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. This been assigned CVE-2021-3426 but the details are not yet public. See CVE-2021-3426 at debian.
To fix this, update to Python-3.9.4 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. This has been assigned CVE-2021-3472.
To fix this, update to at least Xorg-Server-1.20.11 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. See mfsa2021-14.
To fix these, update to Thunderbird-78.10.0 or later using the instructions for Thunderbird (sysv), or Thunderbird (systemd).
In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-15. CVEs have been assigned (CVE-2021-23994, CVE-2021-23995, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946) but details are not yet public.
To fix these, update to firefox-78.10.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
A security vulnerability was fixed in librsvg-2.50.4 that applied to one of the rust crates involved with building the librsvg library. This vulnerability existed within the generic-array crate, and allowed for variables to stick around for longer than their expected lifetime. This could lead to memory corruption scenarios. This vulnerability has been assigned RUSTSEC-2020-0146.
To fix this, update to librsvg-2.50.4 or later using the instructions in librsvg (sysv), or librsvg (systemd).
A security vulnerability was discovered in cifs-utils before 6.13. When using kerberos authentication, it is possible for a leak of authentication credentials when running the cifs.upcall command. This same vulnerability can also permit privilege escalation of a local user. This vulnerability has been assigned CVE-2021-20208.
To fix this, update to cifs-utils-6.13 or later using the instructions in cifs-utils (sysv), or cifs-utils (systemd).
A security vulnerability was found in NetworkManager up to 1.30.2 where a local or remote attacker could set a "match.path" statement in a Network file, which would cause NetworkManager to crash. The root cause of this vulnerability is improper input validation. This vulnerability has been assigned CVE-2021-20297.
To fix this up date to NetworkManager-1.30.4 or later using the instructions at NetworkManager (sysv), or NetworkManager (systemd).
A security vulnerability was found in Avahi that could allow an infinite loop to be triggered when an attacker writes a long line to /run/avahi-daemon/socket. The event used to signal the termination of a client connection was not correctly handled. This vulnerability has been assigned CVE-2021-3468.
To fix this, apply a sed to Avahi using the instructions in Avahi (sysv), or Avahi (systemd).
Three security vulnerabilities were fixed in Thunderbird-78.9.1. All three of them affect systems that have OpenPGP keys configured for encrypted email. These vulnerabilities have been rated Moderate, and have been assigned CVE-2021-23991, CVE-2021-23992, CVE-2021-23993. Additional information can be found at MSFA2021-13.
To fix these, update to Thunderbird-78.9.1 or later using the instructions at Thunderbird (sysv), or Thunderbird (systemd).
Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401 : CVE-2021-21198, CVE-2021-21195, CVE-2021-21193, CVE-2021-21191, CVE-2021-21187, CVE-2021-21184, CVE-2021-21183, CVE-2021-21166, CVE-2020-27844.
To fix these, update to the BLFS 20210401 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL but can be exploited through Node.js if you have not updated that package to Openssl-1.1.1k or later, see 10.1-011
The third vulnerability is 'Prototype Pollution' in the y18n JS package used in npm. Information can be found at April 2021 Security Releases, CVE-2020-7774 and for an explanaton of 'Prototype Pollution' see SNYK-JAVA-ORGWEBJARSNPM-1038306.
To fix these, update to Node.JS-14.16.1 or later using the instructions at Node.JS (sysv) or Node.JS (systemd).
In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure.
This has been assigned CVE-2020-27748 but the upstream issue at gitlab remains open.
In the meantime, to mitigate this flaw, either do not use mailto links at all, or always double-check in the user interface that there are no unwanted attachments before sending emails, especially when the email originates from clicking on a mailto link.
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This has been assigned CVE-2019-17498.
This has been fixed upstream, but no new version has been released. To fix this, apply the patch libssh2-1.9.0-security_fix-1.patch using the instructions for libssh2 (sysv) or libssh2 (systemd) or update to a later version of Libssh2 if one is released.
In Flac up to and including 1.3.3 a heap buffer overflow leading to a possible out of bounds read has been discovered. This could lead to remote information disclosure with no additional execution privileges needed and has been assigned CVE-2020-0499.
This has been fixed upstream, but no new version has been released. To fix this, apply the patch flac-1.3.3-security_fixes-1.patch using the instructions for Flac (sysv) or Flac (systemd) or update to a later version of Flac if one is released.
Fixes from firefox-78.6.1 to 78.8.0, were included in seamonkey-2.53.7. See BLFS #14840. The following CVEs have been fixed, most of them being High or Critical: CVE-2020-16044, CVE-2021-23953, CVE-2021-23954, CVE-2020-26976, CVE-2021-23960, CVE-2021-23964, CVE-2020-16048, CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, and CVE-2021-23978.
To fix these, update to Seamonkey-2.53.7 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In cURL-7.76.0, two vulnerabilities are fixed that may lead to disclosure of sensitive information or authentication bypass. These vulnerabilities have been assigned CVE-2021-22876 and CVE-2021-22890. Additional information can be found at cURL website.
To fix these vulnerabilities, update to cURL-7.76.0 or higher using the instructions for cURL (sysv) or cURL (systemd).
In Python 3 releases, multiple vulnerabilities are fixed that may lead to denial of service, remote code execution, or web cache poisoning. Python 2 is already EOL'ed and has not got the fixes. These vulnerabilities have been assigned CVE-2019-20907, CVE-2020-8492, CVE-2020-26116, CVE-2020-27619, CVE-2021-3177, and CVE-2021-23336.
To fix these vulnerabilities, it's recommended to port everything using Python 2 to use Python 3 instead.
If you decide to stick with Python 2 anyway, rebuild Python 2 with a security patch using the instructions for Python 2 (sysv) or Python 2 (systemd).
In WebKitGTK 2.32.0, three security vulnerabilities were fixed that could lead to arbitary code execution. These vulnerabilities have been assigned CVE-2021-1788, CVE-2021-1844, and CVE-2021-1871. Additional information can be found at WSA-2021-0003.
To fix these vulnerabilities, update to WebKitGTK-2.32.0 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In glib-2.66.8, a medium-severity security vulnerability was fixed that allowed a malicious archive to create files elsewhere in the filesystem via a symlink attack. The malicious archive may also be able to overwrite existing files when extracted with file-roller. An additional vulnerability was fixed in glib-2.66.7, which has been rated High. This vulnerability allows for unintended length truncation on buffers above 4GB in size on a 64-bit platform. These vulnerabilities have been assigned CVE-2021-27218 and CVE-2021-28153, and and additional information can be found at file-roller symlink attack (#2325).
To fix these vulnerabilities, update to glib-2.66.8 or later using the instructions for glib (sysv) or glib (systemd).
In Samba-4.14.2, two security vulnerabilities were fixed that could lead to denial of service or disclosure of sensitive information. These vulnerabilities have been assigned CVE-2020-27840 and CVE-2021-20277.
To fix these vulnerabilities, update to Samba-4.14.2 or higher using the instructions for Samba (sysv) or Samba (systemd).
If you prefer to stick with 4.13 series, update to Samba-4.13.7 or higher using the instructions for Samba (10.1 sysv) or Samba (10.1 systemd).
In WebKitGTK-2.30.6, seven security vulnerabilities were fixed that could lead to arbitrary code execution, improper data deletion, sandbox escapes, and access to a ports on restricted servers. One of the vulnerabilities has an exploit in the wild and is being actively exploited. These vulnerabilities have been assigned CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, and CVE-2021-1870. Additional information can be found at WSA-2021-0002.
To fix these vulnerabilities, update to WebKitGTK-2.30.6 or higher using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
In lxml-4.6.3, a security vulnerability was fixed in the HTML Cleaner that could lead to JavaScript code being passed into the output. This vulnerability is classified as "Cross Site Scripting". It does not properly sanitize the input from the HTML5 formaction attribute, leading to JavaScript code being inserted into the output. This vulnerability has been assigned CVE-2021-28957.
To fix this, update to lxml-4.6.3 or later using the instructions for lxml (sysv) or lxml (systemd).
In Nettle-3.7.2, a security vulnerability was fixed that could allow for improper results or crashes with assertion failures when processing some ECDSA signatures. This has to do with the secp224r1 and secp521r1 curves, and the maintainer suggests upgrading immediately because of the severity of the bug. More information can be found here: ANNOUNCE: Serious bug in Nettle's ecdsa_verify.
To fix this, update to Nettle-3.7.2 or later using the instructions for Nettle (sysv) or Nettle (systemd).
In Thunderbird before 78.9.0 there were two vulnerabilities rated as High for linux systems (the angle graphics item only applies to MS Windows), see mfsa2021-12. CVE-2021-23981 and CVE-2021-23987.
To fix these, update to thunderbird-78.9.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In OpenSSL-1.1.1k, two high severity security vulnerabilities were fixed. One of these allows for a complete bypass of the CA certificate check, and the other is a trivial-to-exploit vulnerability that lets remote attackers crash any application that uses OpenSSL on the system. Upgrading to OpenSSL-1.1.1k is suggested, as soon as possible. These vulnerabilities have been assigned CVE-2021-3450 and CVE-2021-3449.
To fix these, update to OpenSSL-1.1.1k or later using the instructions in OpenSSL (sysv) or OpenSSL (systemd).
In Apache PDFBox-2.0.23, two security vulnerabilities were fixed. One of the vulnerabilities could lead to infinite loops when loading input files, and the other one may result in an OutOfMemory exception while loading an input file. Both of these issues are classified as Denial-of-Service vulnerabilities. These vulnerabilities have been assigned CVE-2021-27906 and CVE-2021-27807.
To fix these, update the supplemental JAR files in fop to 2.0.23 or update to a later version using the instructions in fop (sysv) or fop (systemd).
In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks, see BLFS #14804.
To fix this, update to JS-78.9.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. See mfsa2021-11. See CVE-2021-23981, CVE-2021-23982, CVE-2021-23984 and CVE-2021-23987.
To fix these, update to firefox-78.9.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In gstreamer-1.18.4 (including plugins), five high severity security vulnerabilities were fixed. Two of them were in gst-plugins-good, one in gst-plugins-ugly, one in gst-libav, and one in gst-plugins-base. Upon successful exploitation, these vulnerabilities can lead to application crashes and arbitrary code execution. More details can be found at GStreamer Security Center.
To fix these vulnerabilities, update the entire gstreamer stack to 1.18.4 using the instructions in the gstreamer pages, starting at gstreamer (sysv) or gstreamer (systemd).
If you are maintaining a system which is still using gstreamer-1.16.3 you should go to the Gstreamer Security Center link above, take the five patches for items SA-2021-001 to 005 and apply them to plugins-base (001), plugins-good (002, 003), plugins-ugly (004) and libav (005) and recompile everything except gstreamer (because a library from -base is affected).
In Wireshark-3.4.4, a 17-year-old security vulnerability was fixed that could allow Wireshark to open unsafe URLs from within packet dumps. These unsafe URLs did not follow standard HTTP/HTTPS schemes, but examples were shown using the NFS protocol as well as WebDAV and SMB3. This could result in remote code execution while reading a packet capture file. This has been assigned CVE-2021-22191.
Additional details may be found at Wireshark Gitlab Issue 17232.
To fix this, update to Wireshark-3.4.4 or later using the instructions in Wireshark (sysv) or Wireshark (systemd).
In Linux 5.11.3 and earlier, vulnerabilities in iSCSI subsystem may lead to potential privilege escalation. These has been assigned CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365.
These vulnerabilities should only affect the systems with iSCSI devices or utilities (not in LFS or BLFS) installed.
To fix these, update to Linux 5.11.4 or later, or Linux 5.10.21 or later (if you prefer to stick with 5.10.y) using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd). Note that linux kernel 5.11 and 5.12 versions are no-longer maintained.
The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). These has been assigned CVE-2021-20231 and CVE-2021-20232. The details can be found at GnuTLS issue tracker.
To fix these, update to GnuTLS-3.7.1 or later using the instructions in GnuTLS (sysv) or GnuTLS (systemd).
A double free may lead to memory corruption and other potential consequences. This has been assigned CVE-2021-3407.
To fix this, apply the patch mupdf-1.18.0-security_fix-1.patch using the instructions for MuPDF (sysv) or MuPDF (systemd).
Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Before they decided to not produce a file of changes, the details were recorded at A Qt code review. For the most recent of those, see Upstream Chrome, dated 2021-02-16. To fix these, update to the BLFS 5.15.3 git tarball with instructions for installing that as 5.15.2 to match Qt5 (or update to a later version) using the instructions at QtWebEngine (sysv), or QtWebEngine (systemd).
OpenSSH-8.2p1 through OpenSSH-8.4p1 included a security vulnerability (double free) in the 'ssh-agent' program. This could lead to memory corruption and is potentially exploitable, and may lead to potential privilege escalation. This bug is only reachable by those with access to the agent socket, which is why the BLFS team has decided to rate this vulnerability as Medium severity. There is no CVE assigned for this vulnerability. Additional information can be found at OpenSSH 8.5 release announcement.
To fix this, update to OpenSSH-8.5p1 or later using the instructions in OpenSSH (sysv) or OpenSSH (systemd).
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. This has been assigned CVE-2017-6888. This was fixed in flac-1.3.3, but in the meantime a further vulnerability was discovered in flac-1.3.3, so please follow the instructions for 10.1-022.
Node.JS-14.16.0 fixed three security vulnerabilities. One of them is a denial of service vulnerability (resource exhaustion via HTTP2 protocols), another is a DNS rebinding attack, and a third is an integer overflow. These vulnerabilities have been assigned CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. The CVEs are not available at NVD yet, but more information can be found at February 2021 Security Releases.
To fix these, update to Node.JS-14.16.0 or later using the instructions in Node.JS (sysv) or Node.JS (systemd).
In thunderbird before 78.8.0 there were three vulnerabilities rated as High, see mfsa2021-09. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.
To fix these, update to thunderbird-78.8.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In firefox 78.8.0 three vulnerabilities rated as High were fixed, see mfsa2021-08. CVEs have been assigned (CVE-2021-23968, CVE-2021-23969, CVE-20201-23978), but details are not yet public.
To fix these, update to firefox-78.8.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
ffmpeg-4.3.2 fixed two medium-severity arbitary code execution vulnerabilities. These could be exploited via crafted files using the EXR and VIVIDAS codecs. These vulnerabilities have been assigned CVE-2020-35965 and CVE-2020-34964.
To fix this, update to ffmpeg-4.3.2 or later using the instructions in ffmpeg (sysv) or ffmpeg(systemd).
Python-3.9.2 contained two security fixes, one rated as 9.8 CRITICAL, and the other marked as Medium. The critical vulnerability can result in remote code execution in some Python-based programs, and the Medium-level vulnerability can result in web cache poisoning. These vulnerabilities have been assigned CVE-2021-23336 and CVE-2021-3177.
To fix this, update to Python-3.9.2 or later using the instructions from the BLFS book for Python (sysv) or Python (systemd).
In Screen-4.8.0, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally found exploited via Minecraft servers, and is currently being exploited in the wild. The vulnerability can also allow shell injection. This has been assigned CVE-2021-26937.
To fix this, apply the patch in screen-4.8.0-upstream_fixes-1.patch to your build and recompile Screen using the instructions in Screen (sysv) or Screen (systemd).
In OpenSSL-1.1.1j, two security vulnerabilities were fixed that could lead to a potential denial-of-service attack due to integer overflows and null pointer derefererences. These have been assigned CVE-2021-23841 and CVE-2021-23840. Additional details can be found in OpenSSL.
To fix this, update to at least OpenSSL-1.1.1j using the instructions in OpenSSL (sysv) or OpenSSL (systemd).
On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated user can potentially enable information disclosure via local access via two vulnerabilites. These have been assigned CVE-2020-8696 and CVE-2020-8698. See also Intel-SA-00381.
To fix this, update to at least microcode-20210216 using the instructions for About Firmware (sysv) or About Firmware (systemd).
In bind-9.16.12, a security vulnerability was fixed that could allow remote unauthenticated users to crash the named process if the server is configured to use SPNEGO/GSSAPI. This is classified as a buffer overflow vulnerability. This has been assigned CVE-2020-8625.
To fix this, apply the sed found in the page below and rebuild BIND. BIND (sysv) or BIND (systemd).
In taglib-1.11.1, a security vulnerability was found that may lead to information disclosure when using a crafted OGG file. This is classified as a use-after-free vulnerability. This has been assigned CVE-2018-11439.
To fix this, update to at least taglib-1.12 using the instructions in taglib (sysv) or taglib (systemd).
In WebKitGTK-2.30.5, a security vulnerability was fixed that allows for arbitrary code execution when crafting maliciously crafted web content. This web content appears to be Audio, and the issue is a use-after-free in the AudioSourceProviderGstreamer class. It was fixed with improved memory management. This has been assigned CVE-2020-13558, and additional information may be found at WSA-2021-0001.
To fix this, update to at least WebKitGTK-2.30.5 using the instructions in WebKitGTK (sysv) or WebKitGTK (systemd).
In PostgreSQL-13.2, two vulnerabilities were fixed that could lead to unauthorized users leaking information from a database. One of them relates to users with the UPDATE privilege but without the SELECT privilege, and the other relates to users who have SELECT privileges for only a single column being able to read all columns of the table. These have been assigned CVE-2021-3393 and CVE-2021-20229.
To fix this, update to at least postgresql-13.2 using the instructions in PostgreSQL (sysv) or PostgreSQL (systemd).
In gnome-autoar-0.2.4, a security vulnerability was found that allows for directory traversal during extraction of an archive due to a lack of proper checks for whether a file's parent is a symlink to a directory outside of the intended extraction location. This has been assigned CVE-2020-36241.
To fix this, update to at least gnome-autoar-0.3.0 using the instructions in gnome-autoar (sysv) or gnome-autoar (systemd).
In xterm-366, a security vulnerability was fixed that allows for a crash via usage of certain UTF-8 characters. The vulnerability was originally discovered in 'Screen', but was found to affect xterm as well. The vulnerability was originally found exploited via Minecraft servers, so as a result of it's exploitation in the wild, BLFS has decided to apply a severity of Medium to this vulnerability. This has been assigned CVE-2021-26937.
To fix this, update to at least xterm-366 using the instructions in xterm (sysv) or xterm (systemd).
In Jinja2-2.11.2, a security vulnerability was found that allows for a repeatable denial-of-service attack via malformed regex. This has been assigned CVE-2020-28493.
To fix this, update to at least Jinja2-2.11.3 using the instructions for Jinja2 (sysv) or Jinja2 (systemd).
In subversion-1.14.0, a security vulnerability was found that will result in a remote unauthenticated denial-of-service. This vulnerability was found in the mod_authz_svn and mod_dav_svn modules, and is a null-pointer dereference caused by attempting to access a non-existent repository. This has been assigned CVE-2020-17525.
To fix this, update to at least Subversion-1.14.1 using the instructions for Subversion (sysv) or Subversion (systemd).
In Libgcrypt-1.9.0 there is a heap-based buffer overflow. See CVE-2021-3345.
To fix this, update to at least Libgcrypt-1.9.1 using the instructions for Libgcrypt (sysv) or Libgcrypt (systemd).
In Jasper 2.0.24, jp2_decode in jp2/jp2_dec.c in libjasper has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components. This has been assigned CVE-2021-3272.
To fix this, update to at least jasper-2.0.25 using the instructions for Jasper (sysv) or Jasper (systemd).
In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. CVE-2020-7071 has been allocated but for the moment that is "reserved". See Arch CVE-2021-21702 where the severity is rated as Medium.
To fix this, update to PHP-8.0.2 or later using the instructions for PHP (sysv) or PHP (systemd).
In Glibc before 2.33 there are four vulnerabilities in iconv which can lead to a crash when processing less-common character encodings.
CVE-2019-25013: According to Red Hat this can be worked around by not processing untrusted input in the (uncommon) EUC-KR character set Red Hat.
CVE-2020-27618 is currently marked as 'Reserved'. According to Red Hat an infinite loop can be encountered when processing data in certain IBM character sets containing redundant shift sequences. They rate the severity as Low because an attacker would need either local privileges, or to depend on an application feeding untrusted encoding input to iconv. Red Hat.
CVE-2020-29562: When processing UCS4 text containing an irreversible character, iconv fails an assertion and aborts, resulting in a denial of service. A workaround appears to be to avoid processing UCS4 input (constant 32-bit width characters) in iconv. For most users of LFS and BLFS it is expected that UCS4 input is uncommon.
CVE-2021-3326: When processing invalid input sequences in the ISO-2022-JP-3 encoding, iconv fails an assertion and aborts, resulting in a denial of service. According to Red Hat this can be worked around by not processing untrusted input in this encoding: Red Hat.
To fix these, build a new version of LFS. If you have usable backups and have tested a way to restore them via a rescue stick or similar, it might be possible to build glibc-2.33 in place and then immediately make an unclean shutdown, e.g. using MagicSysRQ if that is enabled in your kernel. Such a procedure is not recommended, nor has it been tested.
In firefox before 78.7.1 a vulnerability in the Angle graphics library was rated as Critical and a CVE was requested. It has now been clarified that this only affected Windows operating systems.
BLFS had been using JasPer-2.0.14, not aware that the upsteam location had moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were present, mostly either causing a remotely triggered crash (Denial of Service) or otherwise rated as high. For an overview of these see BLFS #14599. The most-recent included CVE-2018-9055, CVE-2018-9252, CVE-2018-19540, CVE-2018-19541, CVE-2018-19543, CVE-2020-27828.
To fix this, update to at least JasPer-2.0.24 using the instructions for JasPer (sysv) or JasPer (systemd).
Glib before 2.66.6 was vulnerable to integer truncation leading to potentially exploitable heap-overflow vulnerabilities. The issue was raised in a public report, so this is now classed as a zero-day vulnerability requiring urgent update. GHSL-2021-045 .
To fix this, update to at least Glib-2.66.6 using the instructions for Glib (sysv) or Glib (systemd).
In thunderbird before 78.7.0 there were various vulnerabilities rated as High. See mfsa2021-05 CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-2021-23960, CVE-2021-23964) but details are not yet public.
To fix this, update to Thunderbird-78.7.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
If you use the 'cpan' command to build perl modules, the perl.com domain was stolen and is currently hosted at an address associated with malware. Anyone who uses the 'cpan' command should ensure that www.cpan.org is used to provide the urllist, see the details at blfs-support archive.
Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash, wnpa-sec-2020-20, wnpa-sec-2020-20. According to Redhat these have been allocated CVE-2021-22173 and CVE-2021-22174 but these are currently 'Reserved'.
To fix these, update to wireshark-3.4.3 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In VLC Media Player up to and including version 3.0.11 a remote user could create a specialy crafted file or stream that would lead to crashes and potential information leakage, or perhaps arbitrary code execution. VideoLAN-SB-VLC-3012 .
To fix this, update to VLC-3.0.12 or later using the instructions for VLC (sysv) or VLC (systemd).
In GPTfdisk before version 1.0.6 a possible out-of-bounds write in ReadLogicalParts of basicmbr.cc could be triggered by running gdisk or cgdisk on an improperly formatted MBR partition, leading to arbitrary code execution. CVE-2021-0308.
To fix this, update to GPTfdisk-1.0.6 or later using the instructions for GPTfdisk (sysv) or GPTfdisk (systemd).
In Sudo before 1.9.5p2 the 'Baron Samedi' exploit allows privilege escalation, see CVE-2021-3156.
To fix this, update to Sudo-1.9.5p2 or later using the instructions for Sudo (sysv) or Sudo (systemd).
In the javascript code of firefox-78.7.0 there is a fix for a 'Use-after-poison' vulnerability leading to a potentially exploitable crash. CVE-2021-23960 has been assigned but details are not yet public. Summary details are at mfsa2021-04.
To fix this, update to JS-78.7.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
In firefox 78.7.0 several vulnerabilities were fixed, the following are rated as High. See mfsa2021-04. CVEs have been assigned (CVE-2021-23953, CVE-2021-23954, CVE-20201-23960, CVE-2021-23964) but details are not yet public.
To fix these, update to firefox-78.7.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
Three vulnerabilities in Vorbis Tools 1.4.0 could cause crashes. CVE-2014-9638, CVE-2014-9639, CVE-2017-11331.
To fix these, update to Vorbis Tools 1.4.2 or later using the instructions for Vorbis Tools (sysv) or Vorbis Tools (systemd).
Fixes from firefox-78.4.1 to 78.6.0, and from thunderbird-78.6.0 were included in seamonkey-2.53.6. See BLFS #14548. The following are rated as Critical or High: CVE-2020-16042, CVE-2020-26950, CVE-2020-26951, CVE-2020-26968, CVE-2020-26970, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.
To fix these, update to Seamonkey-2.53.6 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
In mutt through version 2.0.4 it was possible to cause a Denial of Service (the specific mailbox became unreadable) by sending a message with sequences of semicolons in RFC822 fields, causing large memory consumption. See CVE-2021-3181.
This was initially fixed with a minimal upstream patch, mutt-2.0.4-memleak-1.patch, but the 2.05 release followed a few days later with slightly more fixes. To fix this update to mutt-2.0.5 or later using the instructions for Mutt (sysv) or Mutt (systemd).
BLFS updated to ImageMagick-7.0.10-57 from 7.0.10-27 to fix two security vulnerabilities, a division by zero causing Denial of Service, and the -authenticate option to set a password for password-protected PDF files was not properly sanitized, allowing users to inject additional shell commands. For the division by zero, CVE-2020-27560, CVE-2020-29599.
To fix this, update to ImageMagick-7.0.10-57 or later using the instructions for ImageMagick (sysv) or ImageMagick (systemd).
In thunderbird before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-02 This has been allocated CVE-2020-16044 but for the moment no details are available.
To fix this, update to Thunderbird-78.6.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
In Sudo before 1.9.5 there are two privilege escalation vulnerabilities, one marked as High. See oss-security and CVE-2021-20239, CVE-2021-23240,.
To fix this, update to Sudo-1.9.5p1 or later using the instructions for Sudo (sysv) or Sudo (systemd).
In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with invalid userinfo. CVE-2020-7071 has been allocated but for the moment that is "reserved". See ASA-202101-9 (Arch linux).
To fix this, update to PHP-8.0.1 or later using the instructions for PHP (sysv) or PHP (systemd).
In firefox before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. See mfsa2021-01 This has been allocated CVE-2020-16044 but for the moment no details are available.
To fix this, update to firefox-78.6.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).
In Node.js before 12.20.1, 14.15.4 a high security vulnerability (use after free, leading to Denial of Service or other exploits) as well as two medium security vulnerabilities were found (one is in OpenSSL but could be exploited through Node.js). CVE-2020-8265, CVE-2020-8287, CVE-2020-1971.
To fix these, update to Node.js-14.15.4 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.20.1 or later.
A high severity heap-based buffer overflow via a crafted PDF was reported against Poppler-20.12.1 and assigned CVE-2020-35702, but later reports indicate that this only applies to Poppler git clones in late December 2020 (which might be used by third-party projects). For BLFS no action is now necessary.
In Dovecot before version 2.3.13, if the IMAP hibernation has been enabled (it is off by default) an attacker can access other user's emails and filesystem information. It has been assigned CVE-2020-24386.
A workaround is to disable imap hibernation by ensuring imap_hibernate_timeout is either set to 0 or unset.
To fix this, update to dovecot-2.3.13 or later using the instructions for Dovecot (sysv) or Dovecot (systemd).
The changes file for Libpcap-1.10.0 at tcpdump.org mentions various security fixes.
To fix these, update to Libpcap-1.10.0 or later using the instructions for Libpcap (sysv) or Libpcap (systemd).
In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high, and another two rated as medium. See CVE-2019-6988, CVE-2019-12793, CVE-2020-6851, CVE-2020-8112.
To fix these, update to OpenJPEG-2.4.0 or later using the instructions for OpenJPEG2 (sysv) or OpenJPEG2 (systemd).
A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1 was raised and allocated CVE-2020-26422, but it was later determined that the bug was not present in any released version of Wireshark: wnpa-sec-2020-20 so no action is necessary.
Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated as Critical. Details are at mfsa2020-56, CVE-2020-16042, CVE-2020-26970, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.
To fix this, update to Thunderbird-78.6.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
Four Medium Security Advisories for items which could cause Wireshark to crash were fixed in Wireshark-3.4.1, detailed at Wireshark Security, but in addition the editors had overlooked a High severity item fixed in Wireshark-3.4.0. CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421, CVE-2020-26575, CVE-2020-28030.
To fix these, update to wireshark-3.4.1 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
In P11-Kit up to 0.23.21 there are two vulnerabilities rated as high, and another rated as medium. See CVE-2020-29361, CVE-2020-29362, CVE-2020-29363.
To fix this, update to p11-kit-0.23.22 or later using the instructions for P11-Kit (sysv) or P11-Kit (systemd).
Several vulnerabilities were found in firefox before 78.6.0, of which one was rated as critical and four as high by upstream, as well as one rated low (but rated as Medium by NVD) where internal network hosts and services on the user's machine could have been probed by a malicious webpage. Details are at mfsa2020-55 and CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113.
To fix these, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
The EDIPARTYNAME NULL pointer de-reference allows an attacker who can trick a client or server into checking a malicious X509 certificate could trigger a crash. This is rated High. It has been assigned CVE-2020-1971 with fuller details at OpenSSL.
To fix this, update to at least OpenSSL-1.1.1i using the instructions from the LFS book for OpenSSL (sysv) or OpenSSL (systemd).
Python-3.9.1 includes three security fixes. See bpo-40791, bpo-42051, bpo-42103.
To fix this, update to at least Python-3.9.1 using the instructions from the BLFS book for Python (sysv) or Python (systemd).
cURL before version 7.74.0 has two vulnerabilities rated as High, an uncontrolled recursion and an improper check for certificate revocation, as well as one rated as Low. See BLFS #14363 and CVE-2020-8284, CVE-2020-8285, CVE-2020-8286.
To fix these, update to cURL-7.74.0 or later following the instructions for cURL (sysv) or cURL (systemd).
Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service (infinite loop) which can, for example, be triggered using a crafted GIF image with LZW compression. CVE-2020-29385.
To fix this, update to Gdk-Pixbuf-2.42.2 or later following the instructions for Gdk-Pixbuf (sysv) or Gdk-Pixbuf (systemd).
In Xorg-Server before version 1.20.10 two input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 and CVE-2020-25712 .
To fix this, update to at least Xorg-Server-1.20.10 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
Unbound up to and including version 1.12.0 contains a local vulnerability that would allow for a local symlink attack. Severity downgraded following availability of analysis. CVE-2020-28935.
To fix this, update to Unbound-1.13.0 or later following the instructions for Unbound (sysv) or Unbound (systemd).
Mutt before version 2.0.2 had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. CVE-2020-28896.
To fix this, update to mutt-2.0.2 or later following the instructions for Mutt (sysv) or Mutt (systemd).
Three vulnerabilities were found in LibEXIF-0.6.22, two are rated as High and one as Critical. See BLFS #14272 and the following CVEs: CVE-2020-0181, CVE-2020-0198, CVE-2020-0452.
To fix these, update to a version of LibEXIF after version 0.6.22 if one is released, or apply the patch libexif-0.6.22-security_fixes-1.patch following the instructions for LibEXIF (sysv) or LibEXIF (systemd).
Three vulnerabilities leading to Denial of Service were found in LibXML2-2.9.10, two of these are rated as High. See BLFS #14271 and the following CVEs: CVE-2019-20388, CVE-2020-7595, CVE-2020-24977.
To fix these, apply the patch libxml2-2.9.10-security_fixes-1.patch following the instructions for LibXML2 (sysv) or LibXML2 (systemd), or update to a later version if one is released.
Five vulnerabilities rated as High were found in WebKitGTK. See BLFS #14281 and the following CVEs (most were filed against Safari, which uses WebKit): CVE-2020-9948, CVE-2020-9951, CVE-2020-9952, CVE-2020-9983, CVE-2020-13584.
To fix this, update to at least webkitgtk-2.30.3 using the instructions for WebKitGTK (sysv) or WebKitGTK (systemd).
The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from Chrome, of which four were 0day fixes. The rest of Qt5 includes many bug fixes, some of which include heap buffer overflows. For QtWebEngine see QtWebEngine 5.15.2 changes, For the other parts of Qt5 see Qt-5.15.2 Changes.
To fix these, update to at least Qt-5.15.2 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).
Several vulnerabilities were fixed in Thunderbird-78.5.0, two were rated High. Details are at mfsa2020-52, CVE-2020-26951, CVE-2020-26968.
To fix this, update to Thunderbird-78.5.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
A vulnerability in Kerberos 5 before krb-5.18.3 allowed a Denial of Service to be triggered when decoding Kerberos protocol messages. See Release Notes.
To fix this, update to krb5-1.18.3 or later using the instructions for Kerberos (sysv) or Kerberos (systemd).
An application using C-Ares versions from 1.16.0 to 1.17.0 allows an attacker to trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. See CVE-2020-8277 which was initially raised against Node.js.
To fix this, update to C-Ares-1.17.1 or later using the instructions for C-Ares (sysv) or C-Ares (systemd).
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses. This also applies to C-Ares, which is shipped with Node.js. CVE-2020-8277.
To fix this, update to Node.js-14.15.1 or later using the instructions for Node.js (sysv) or Node.js (systemd). Alternatively, if you are still using the v12 series, you may prefer to update to v12.19.1 or later.
Several vulnerabilities were found in firefox before 78.5.0, of which one was in the javascript (js/src) code. Summary details are at mfsa2020-51 .
To fix this, update to JS-78.5.0 or later using the instructions for JS78 (sysv) or JS78 (systemd).
Several vulnerabilities were found in firefox before 78.5.0, of which two were rated as high by upstream. Details are at mfsa2020-51 and CVE-2020-26951 and CVE-2020-26968.
To fix this, update to firefox-78.5.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
A heap overflow vulnerability in Raptor can lead to an out-of-bounds write. Details are at oss-security and CVE-2017-18926.
To fix this, patch raptor-2.0.15 using raptor-2.0.15-security_fixes-1.patch and the instructions for Raptor (sysv) or Raptor (systemd).
Three vulnerabilities rated as High were found in PostgreSQL before 13.1. Details are at PostgreSQL and CVE-2020-25694, CVE-2020-25695, CVE-2020-25696.
To fix this, update to PostgreSQL-13.1 or later, using the instructions for PostgreSQL (sysv) or PostgrSQL (systemd).
The javascript vulnerability fixed in firefox-78.4.1 also applies to thunderbird. Details are at mfsa2020-49 and CVE-2020-26950.
To fix this, update to Thunderbird-78.4.2 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also applies to seamonkey-2.53.4. In BLFS this was initially partly fixed by patching Seamonkey-2.53.4 using seamonkey-2.53.4-security_fixes-1.patch but was later revised to use Seamonkey-2.53.5 when that became available. And then Seamonkey-2.53.5.1 had further fixes for this.
To fix these, update to Seamonkey-2.53.5.1 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
An exploitable use-after-free was found in JS78 before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.
To fix this, update to JS-78.4.1 or later using the instructions for JS78 (sysv) or JS78 (systemd).
An exploitable use-after-free was found in firefox before 78.4.1. Details are at mfsa2020-49 and CVE-2020-26950.
To fix this, update to firefox-78.4.1 or later using the instructions for Firefox (sysv) or Firefox (systemd).
Four CVE vulnerabilities were identified in MariaDB before version 10.5.7, as well as a high security vulnerability only applicable to Windows. See Release Notes and CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789.
To fix this, update to at least mariadb-10.5.7 using the instructions for MariaDB (sysv) or MariaDB (systemd).
Three CVE vulnerabilities were identified in Samba before version 4.13.1, see Samba History and CVE-2020-14318, CVE-2020-14323, CVE-2020-14383.
To fix this, update to at least samba-4.13.1 using the instructions for Samba (sysv) or Samba (systemd).
There was a signed integer overflow in libass-0.14.0. See CVE-2020-26682.
To fix this, update to at least libass-0.15.0 using the instructions for Libass (sysv) or Libass (systemd).
Upstream made an emergency release of gstreamer-1.18.1 and its stack containing important security fixes. At the same time the gstreamer-1.16.3 stack was released with similar fixes. Limited details are available at 1.18.1 Release Notes and 1.16.3 Release Notes .
On systems running Gstreamer 1.16 versions, such as BLFS-10.0, update to the gstreamer-1.16.3 packages (gstreamer, -libav, -plugins, -vaapi) using the instructions from the BLFS-10.0 book for Gstreamer 1.16 (sysv) and the rest of the stack, or Gstreamer 1.16 (systemd) and the rest of the stack.
On systems running Gstreamer 1.18 versions, update to the gstreamer-1.18.1 or later packages (gstreamer, -libav, -plugins, -vaapi) using the instructions for Gstreamer 1.18 (sysv) and the rest of the stack, or Gstreamer 1.18 (systemd) and the rest of the stack.
Three vulnerabilities rated as High were fixed in thunderbird-78.4.0. Details are at mfsa2020-47.
To fix this, update to Thunderbird-78.4.0 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
There was an emergency release fixing a vulnerability in embedded PNG bitmap handling (since FreeType-2.6) which was being actively exploited. The original CVE was raised against Chrome OS and only rated as Medium. CVE-2020-15999 and Sourceforge - Changes in 2.10.4 .
To fix this, update to freetype-2.10.4 or later using the instructions for FreeType (sysv) or FreeType (systemd).
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. CVE-2020-27783 and cybersecurity-help.cz.
This was thought to be fixed in LXML-4.6.1, but that fix was inadequate. To fix this, update to LXML-4.6.2 or later using the instructions for LXML (sysv) or LXML (systemd).
A flaw was found in the CCS handling, allowing a remote attacker to cause a denial of service for servers linked against NSS. CVE-2020-25613 .
To fix this, update to at least NSS-3.58 using the instructions for NSS (sysv) or NSS (systemd).
In Stunnel-5.57 the "redirect" option was fixed to properly handle "verifyChain = yes". See Stunnel NEWS.
To fix this, update to at least stunnel-5.57 using the instructions for Stunnel (sysv) or Stunnel (systemd).
Ruby before 2.7.2 had a vulnerability in its WEBrick HTTP server. CVE-2020-25613.
To fix this, update to at least Ruby-2.7.2 using the instructions for Ruby (sysv) or Ruby (systemd).
PHP before 7.4.11 had two CVE vulnerabilities, CVE-2020-1472 and CVE-2020-1472.
To fix this, update to at least PHP-7.4.11 using the instructions for PHP (sysv) or PHP (systemd).
Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. See Release Notes .
To fix this, update to at least Glib-2.66.1 using the instructions for Glib (sysv) or Glib (systemd).
Three Security Advisories (wnpa-sec-2020-11,12,13) which could cause Wireshark to crash were fixed in Wireshark-3.2.7, detailed at Wireshark Security and CVE-2020-25862, CVE-2020-25863, CVE-2020-25866.
To fix these, update to wireshark-3.2.7 or later using the instructions for Wireshark (sysv) or Wireshark (systemd).
Revised 2020-09-26
Five vulnerabilities with CVE numbers were fixed in thunderbird-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-44.
But users of that version of thunderbird reported numerous crashes. To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or later using the instructions for Thunderbird (sysv) or Thunderbird (systemd).
Security fixes from firefox-60.6 up to firefox ESR-78.1 were included in Seamonkey-2.53.4. Please see The Release Notes.
To fix these, update to Seamonkey-2.53.4 or later using the instructions for Seamonkey (sysv) or Seamonkey (systemd).
Four vulnerabilities with CVE numbers were fixed in firefox-78.3.0 including a memory safety bug rated as High. Details are at mfsa2020-43.
To fix these, update to firefox-78.3.0 or later using the instructions for Firefox (sysv) or Firefox (systemd).
A critical security vulnerability in Samba was discovered, dubbed "ZeroLogon". This vulnerability classifies as an authentication bypass, and is rated a 10.0 on the CVSSv3 scale. CVE-2020-1472 has been assigned.
To fix this, update to Samba-4.12.7 or later using the instructions for Samba (sysv) or Samba (systemd).
Multiple security vulnerabilities were discovered in Node.js, including two marked as High. These have been assigned CVE-2020-8201 and CVE-2020-8252.
To fix this, update to Node.js-12.18.4 or later using the instructions for Node.js (sysv) or Node.js (systemd).
Many security vulnerabilities were discovered in Qt5-5.15.0 and QtWebEngine. For an overview, including the approximately 50 security fixes from Chrome which had CVEs assigned at the time of the update, see BLFS ticket #14026.
To fix this, update to at least Qt-5.15.1 and QtWebEngine-5.15.1 using the instructions for Qt5 (sysv) and QtWebEngine (sysv), or Qt5 (systemd) and QtWebEngine (systemd).
In Linux Kernels before 5.8.8 there is a potential privilege escalation. See oss-security.
To fix this, update to linux-5.8.9 or later using the instructions from the LFS book for Linux Kernel (sysv) or Linux Kernel (systemd).
Bison-3.7.2 fixed all known CVE vulnerabilities in bison itself, the generated code should not be affected. See The Release Announcement.
To fix this, update to bison-3.7.2 or later using the instructions from the LFS book for Bison (sysv) or Bison (systemd).
An out of bounds memory write was discovered in Cryptsetup. Note that this only affects 32-bit builds of cryptsetup. CVE-2020-14382 has been assigned.
To fix this, update to at least cryptsetup-2.3.4 using the instructions for Cryptsetup (sysv) or Cryptsetup (systemd).
A critical security bug was dicovered in GnuPG 2.2.21 as shipped in BLFS 10.0, and in 2.2.22. This vulnerability will trigger whenever a key with preference lists for the AEAD algorithms is loaded, and can be exploited. CVE-2020-25125 has been assigned.
To fix this, update to GnuPG-2.2.23 or later using the instructions for GnuPG (sysv) or GnuPG (systemd).
An integer oveflow in brotli before version 1.0.9 can lead to a crash. This was assigned CVE-2020-8927.
To fix this, update to brotli-1.0.9 or later using the instructions for Brotli (sysv) or Brotli (systemd).
A variety of vulnerabilities were found in BIND. Most could cause a crash but one allows privilege escalation by someone with authority to change a subset of the zone's content. These were assigned CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624. See also BIND 9 Security Vulnerabilty Matrix #114-8.
To fix this, update to BIND-9.6.16 or later using the instructions for BIND (sysv) or BIND (systemd).
The mount.cifs program was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. This was assigned CVE-2020-14342, more details at samba-technical.
To fix this, update to cifs-utils-6.11 or later using the instructions for CIFS-utils (sysv) or CIFS-utils (systemd).
A null-pointer dereference causing a remotely-triggered crash in the client application was found and assigned CVE-2020-24659, see also GNUTLS-SA-2020-09-04.
To fix this, update to at least GnuTLS-3.6.15 using the instructions for GnuTLS (sysv) or GnuTLS (systemd).
In Xorg-Server before version 1.20.9 several input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. These have been assigned CVE-2020-14360 CVE-2020-14346 CVE-2020-14361 CVE-2020-14362.
To fix this, update to at least Xorg-Server-1.20.9 using the instructions for Xorg-Server (sysv) or Xorg-Server (systemd).
Effective 2020-09-03
In libX11 before version 1.6.12 an integer overflow and double-free was found, which could lead to provilege escalation. This has been assigned CVE-2020-14363.
To fix this, update to at least libX11-1.6.12 using the instructions for Xorg Libraries (sysv) or Xorg Libraries (systemd).